ProficientNowTechRFCs
Platform RFCs/Secret ops interim

4. System Components

RFC-SECOPS-0002                                                   Section 4
Category: Standards Track                              System Components

4.1 Component Taxonomy

The interim architecture consists of four components:

ComponentTypeLocation
AWS Secrets ManagerManaged ServiceAWS Cloud
AWS IAMManaged ServiceAWS Cloud
Secret Config ModuleApplication LibraryPer-application codebase
Secrets Inventory ManifestConfiguration FileGit repository
AWS SDKLibrary DependencyPer-application runtime

4.2 Component Responsibilities

4.2.1 AWS Secrets Manager

AspectDescription
ResponsibilityStores and serves secret values; encrypts at rest using AWS KMS-managed keys
InputsSecret name and value (via CreateSecret/PutSecretValue); secret name (via GetSecretValue)
OutputsSecret value (plaintext, decrypted in transit via TLS)
DependenciesAWS IAM (authorization)
Failure ModeService unavailability returns API errors; secrets are inaccessible
RecoveryAutomatic on AWS service restoration; no operator action required

AWS Secrets Manager is the sole authoritative store for all platform secret values during the interim period (Invariant 1).

4.2.2 AWS IAM

AspectDescription
ResponsibilityAuthenticates on-premises servers and authorizes access to specific secrets
InputsIAM user credentials (access key ID + secret access key) or IAM role assumption
OutputsAuthorization decisions (allow/deny) for Secrets Manager API calls
DependenciesIAM policy and Secrets Manager resource policy definitions
Failure ModeAuthentication failure prevents all secret access for the affected principal
RecoveryVerify credentials, check IAM policy attachments, rotate if compromised

Security principals MUST be scoped per-application. Each application MUST have its own IAM principal, and access SHOULD be granted using IAM policies scoped to per-application secret name prefixes.

Access Control Model:

AWS Secrets Manager supports two authorization mechanisms. Identity-based IAM policies are RECOMMENDED; resource-based policies are noted for reference.

MechanismScope GranularityRecommended
Identity-based IAM policiesUser/role/group; can scope to secret ARN patternsYES
Secrets Manager resource policiesPer-secret policy; supports cross-account accessConditional

IAM Scoping for Least Privilege:

IAM policies are assigned using ARNs, not data-plane URLs. The minimum recommended scope for per-application isolation is a secret name prefix:

arn:aws:secretsmanager:{region}:{account-id}:secret:platform-data/*

The RECOMMENDED permission set for application principals includes secretsmanager:GetSecretValue (read secret contents, no management permissions).

Important: AWS IAM supports wildcard ARN matching for secret name prefixes within a single account. The platform-data/ and platform-config/ naming convention provides logical grouping and enables prefix-scoped access within a shared account.

4.2.3 Secret Config Module

AspectDescription
ResponsibilityProvides a centralized interface for application code to retrieve secrets
InputsSecret name (using platform naming convention)
OutputsSecret value (string or structured data)
DependenciesAWS SDK, IAM credentials available in the runtime environment
Failure ModePropagates SDK errors to the calling application; fails loudly on missing secrets
RecoveryApplication-specific (retry, fail startup, degrade gracefully)

The Secret Config Module is the only component in each application that directly calls the AWS SDK for secret retrieval (Invariant 4).

Design constraints for this module:

ConstraintRationale
Single module per applicationLimits migration blast radius
Abstracts AWS SDK behind an interfaceEnables replacement with Vault/ESO client during migration
Fails loudly on missing secretsPrevents silent misconfiguration
Caches secrets in memory after retrievalReduces API calls and latency
Does not persist secrets to diskPrevents local secret accumulation

4.2.4 Secrets Inventory Manifest

AspectDescription
ResponsibilityDocuments all secrets stored in AWS Secrets Manager (metadata only)
InputsOperator updates when secrets are created, modified, or deleted
OutputsA machine-readable and human-readable inventory of platform secrets
DependenciesGit repository access
Failure ModeDrift from actual Secrets Manager state (inventory says secret exists but it does not, or vice versa)
RecoveryPeriodic reconciliation by operators

The manifest follows this structure:

secrets:
  - name: platform-data/postgres/my-app
    description: PostgreSQL credentials for my-app
    consumers:
      - my-app
    rotation: manual
    created: 2026-02-17
    notes: "Primary database credentials"

  - name: platform-config/redis/shared
    description: Redis connection parameters
    consumers:
      - my-app
      - other-service
    rotation: none
    created: 2026-02-17
    notes: "Non-sensitive connection configuration"

The manifest MUST NOT contain secret values (Invariant 3).

4.2.5 AWS SDK

AspectDescription
ResponsibilityProvides the programmatic interface to AWS Secrets Manager
InputsAPI calls from the Secret Config Module
OutputsSecret values retrieved from AWS Secrets Manager
DependenciesIAM credentials in the runtime environment, network access to AWS endpoints
Failure ModeNetwork errors, authentication failures, throttling
RecoveryBuilt-in retry logic (exponential backoff); application-level error handling

The AWS SDK is a transitive dependency consumed only through the Secret Config Module. Application code MUST NOT import or call the AWS SDK directly for secret retrieval.

4.3 Component Interaction Model

InteractionProtocolDirection
Application → Secret Config ModuleIn-process function callSynchronous
Secret Config Module → AWS SDKIn-process function callSynchronous
AWS SDK → AWS IAMHTTPS/TLSRequest-response
AWS IAM → AWS Secrets ManagerInternal AWSRequest-response
Operator → secrets-inventory.yamlGit commitAsynchronous (manual)

4.4 Failure and Recovery Scenarios

4.4.1 Application Cannot Retrieve Secret at Startup

AspectDescription
CauseNetwork failure, IAM misconfiguration, secret does not exist
SymptomApplication fails to start; Secret Config Module reports error
ResolutionVerify network connectivity to AWS, check IAM credentials and policy attachments, verify secret exists in Secrets Manager
PreventionPre-deployment validation against secrets-inventory.yaml

4.4.2 IAM Credentials Expired or Rotated

AspectDescription
CauseIAM access key rotated without updating server configuration
SymptomAll secret retrievals fail with authentication errors
ResolutionUpdate IAM credentials on the affected server(s)
PreventionDocument credential locations and rotation procedures

4.4.3 Secret Deleted From Secrets Manager But Still in Inventory

AspectDescription
CauseOperator deleted secret from Secrets Manager without updating manifest
SymptomApplications fail to retrieve the secret; inventory shows it as existing
ResolutionEither recreate the secret in Secrets Manager or remove from inventory
PreventionOperational discipline; periodic reconciliation

4.4.4 Secret Exists in Secrets Manager But Not in Inventory

AspectDescription
CauseOperator created secret in Secrets Manager without updating manifest
SymptomNo immediate application impact; reduced operational visibility
ResolutionAdd the secret to secrets-inventory.yaml
PreventionOperational discipline; periodic reconciliation

Next

3. System Architecture

Next

5. Migration Path

On this page