AWS Secrets & Parameters – Dev Cheat Sheet
Quick reference for the main AWS Secrets Manager secrets and SSM Parameter Store parameters used by this repo, plus common ways to consume them.
Unless otherwise noted, names below are for prod. For non-prod, swap the
prod//prodprefix for the environment name (e.g.dev,staging).
High-level rules
- Prefer environment variables in ECS tasks over calling AWS APIs directly.
- Secrets live in AWS Secrets Manager; config-ish values often live in SSM Parameter Store.
- Naming conventions:
- Secrets:
${environment}/service/thing(example:prod/backstage/database-url) - SSM params:
/${environment}/namespace/resource(example:/prod/blog-data/buckets/cache)
- Secrets:
Key Secrets Manager entries
| Secret name (prod) | What it is | How you use it (most common) |
|---|---|---|
prod/db/admin | Aurora admin creds (username/password JSON) | One-offs / tooling that need full DB admin |
prod/backstage/db | Backstage DB creds (JSON) | Backstage DB bootstrap task via BACKSTAGE_DB_SECRET_JSON |
prod/backstage/database-url | Backstage DB URL (Postgres) | Backstage ECS via BACKSTAGE_DATABASE_URL |
prod/backstage/session-secret | Backstage auth session secret | Backstage ECS via AUTH_SESSION_SECRET |
prod/github/pat/blog_data_ci | GitHub PAT shared by Backstage & Prefect deployer | Backstage GITHUB_TOKEN; Prefect deployer via secret-name var |
prod/circleci/pat/backstage | CircleCI PAT used by Backstage | Backstage ECS via CIRCLECI_AUTH_TOKEN |
prod/prefect/database-url | Prefect API DB URL (Postgres) | Prefect API ECS via PREFECT_API_DATABASE_CONNECTION_URL |
prod/prefect/api-auth | Prefect API auth token/creds for workers & CI | Workers / CI when calling Prefect API |
prod/kinde/client-secret-2pS4d3 | Kinde OIDC client secret used by ALB | ALB OIDC auth for Backstage & Prefect |
blog-data/neo4j/credentials | Neo4j URI + creds | Prefect flows, web app (via config) |
blog-data/cloudinary/credentials | Cloudinary cloud name + key + secret | Prefect flows, web app image handling |
Key SSM Parameter Store entries
| Param name (prod) | What it is / example value | Who/what reads it |
|---|---|---|
/prod/shared/cf_alb_secret | SecureString shared header for CloudFront → ALB | ALB module / listener rules |
/prod/blog-data/buckets/cache | S3 bucket name for blog-data cache layer | Prefect flows/tools → BLOG_DATA_BUCKET_CACHE |
/prod/blog-data/buckets/raw | S3 bucket name for blog-data raw layer | Prefect flows → BLOG_DATA_BUCKET_RAW |
/prod/blog-data/buckets/clean | S3 bucket name for blog-data clean layer | Prefect flows → BLOG_DATA_BUCKET_CLEAN |
/prod/blog-data/buckets/design-files | S3 bucket for design files layer | ORK processor lambda, tools |
/prod/infra/park_mode | parked / unparked | CircleCI Terraform workflows |
/prod/infra/database_restore_mode | from_final_snapshot / clean | CircleCI Terraform workflows |
/prod/prefect/deployer/cluster_arn | ECS cluster ARN for Prefect deployer | CI / scripts that run deployer task |
/prod/prefect/deployer/task_definition_arn | ECS task definition ARN for Prefect deployer | CI / scripts that run deployer task |
/prod/prefect/deployer/subnet_ids | Comma-separated private subnet IDs | CI / scripts that run deployer task |
/prod/prefect/deployer/security_group_id | Security group ID | CI / scripts that run deployer task |
How to consume these (fast examples)
Inside ECS tasks (preferred)
Use env vars wired by Terraform instead of calling AWS directly.
import os
backstage_db_url = os.environ["BACKSTAGE_DATABASE_URL"]
const token = process.env.GITHUB_TOKEN
if (!token) throw new Error('GITHUB_TOKEN not set')
From your terminal (AWS CLI)
# SSM: plain String
aws ssm get-parameter \
--name "/prod/infra/park_mode" \
--query 'Parameter.Value' --output text
# SSM: SecureString
aws ssm get-parameter \
--name "/prod/shared/cf_alb_secret" \
--with-decryption \
--query 'Parameter.Value' --output text
# Secrets Manager: JSON secret
aws secretsmanager get-secret-value \
--secret-id "prod/db/admin" \
--query SecretString --output text | jq .username
From Python using boto3
import boto3, json
ssm = boto3.client("ssm")
park_mode = ssm.get_parameter(
Name="/prod/infra/park_mode",
WithDecryption=False,
)["Parameter"]["Value"]
secrets = boto3.client("secretsmanager")
creds = json.loads(
secrets.get_secret_value(SecretId="prod/db/admin")["SecretString"]
)
username = creds["username"]
password = creds["password"]