node-red-contrib-aws-asm

node-red-contrib-aws-asm

A production-ready Node-RED node for AWS Secrets Manager operations that retrieves secrets and stores them in Node-RED context or environment variables.

Features

• 🔐 Retrieve secrets from AWS Secrets Manager
• 🏗️ Flexible credential configuration (IAM roles, direct credentials, context variables)
• 📦 Store secrets in flow context, global context, or environment variables
• 🔄 Support for both JSON and string secrets
• 🎯 TypedInput support for dynamic secret IDs
• ⚡ Real-time credential resolution from context
• 🛡️ Production-ready with comprehensive error handling

Installation

Run the following command in your Node-RED user directory (typically ~/.node-red):

npm install node-red-contrib-aws-asm

After installation, restart Node-RED to load the new nodes.

Configuration

AWS Configuration Node

The module uses a configuration node that supports multiple authentication methods:

IAM Role Authentication (Recommended)

• ✅ Use when running on EC2 instances with IAM roles
• ✅ No credentials needed in Node-RED
• ✅ Automatic credential rotation

Access Key Authentication

Supports multiple credential sources:

• String: Stored securely in Node-RED credentials (encrypted)
• Flow Context: Retrieved from flow context variables
• Global Context: Retrieved from global context variables
• Environment Variables: Retrieved from environment variables

Examples

Environment-based Configuration

// Set environment variables
process.env.AWS_ACCESS_KEY_ID = "your-access-key";
process.env.AWS_SECRET_ACCESS_KEY = "your-secret-key";

// Configure node to use environment variables
Access Key ID: Environment Variable → AWS_ACCESS_KEY_ID
Secret Access Key: Environment Variable → AWS_SECRET_ACCESS_KEY

Mixed Configuration

// Store secret key in global context
global.set("aws_secret", "your-secret-access-key");

// Configure node
Access Key ID: String → stored securely in Node-RED
Secret Access Key: Global Context → aws_secret

Usage

Basic Usage

• Create AWS Configuration

  • Add an "aws-secret-manager-config" node
  • Configure your AWS region and credentials

• Add Secrets Manager Node

  • Drag "aws-secret-manager" node to your flow
  • Select your AWS configuration
  • Configure secret ID and storage options

• Configure Secret ID The Secret ID supports multiple input types:

  • String: Direct secret name or ARN
  • Message: From msg.payload.secretId or msg.secretId
  • Flow Context: From flow context variable
  • Global Context: From global context variable
  • Environment Variable: From environment variable

Storage Options

Flow Context

// Store in flow context
storeIn: "flow"
variableName: "dbCredentials"

// Access later
const credentials = flow.get("dbCredentials");

Global Context

// Store in global context  
storeIn: "global"
variableName: "dbCredentials"

// Access later
const credentials = global.get("dbCredentials");

Environment Variables

// For JSON secrets like: {"DB_HOST":"localhost","DB_USER":"admin"}
storeIn: "env"
// Each key becomes an environment variable automatically:
// process.env.DB_HOST = "localhost"
// process.env.DB_USER = "admin"
// No Variable Name needed - each JSON key becomes a separate env var

Output Data

// Send secret directly to output
storeIn: "output"
// msg.payload will contain the secret value

Example Flow

[
    {
        "id": "inject-node",
        "type": "inject",
        "payload": "{}",
        "wires": [["secrets-node"]]
    },
    {
        "id": "secrets-node", 
        "type": "aws-secret-manager",
        "awsConfig": "aws-config",
        "secretId": "my-database-secret",
        "secretIdType": "str",
        "storeIn": "global",
        "variableName": "dbCredentials",
        "wires": [["debug-node"]]
    }
]

Input

Message Properties

• msg.secretId (optional): Secret ID if not configured in node

Example Input

msg = {
    secretId: "my-secret-name"
}

Output

Success Response (when storing in context/env)

msg = {
    payload: {
        status: "Secret stored successfully",
        secretId: "my-secret-name"
    }
}

Success Response (when outputting data)

msg = {
    payload: {
        username: "admin",
        password: "secret123", 
        host: "database.example.com"
    }
}

Error Response

msg = {
    payload: {
        error: "Error message"
    }
}

Security Best Practices

• ✅ Use IAM roles when possible (recommended for EC2 instances)
• ✅ Store credentials in context variables rather than hardcoding
• ✅ Use environment variables for sensitive configuration
• ✅ Rotate access keys regularly
• ✅ Follow the principle of least privilege
• ✅ Enable AWS CloudTrail for audit logging

Error Handling

The node provides comprehensive error handling:

• Configuration errors: Missing or invalid AWS configuration
• Authentication errors: Invalid credentials or permissions
• Secret not found: Invalid secret ID or insufficient permissions
• Network errors: Connection issues with AWS

All errors are logged and sent in the message payload for downstream processing.

Requirements

• Node.js >= 12.0.0
• Node-RED >= 2.0.0
• AWS account with Secrets Manager access
• Appropriate IAM permissions

IAM Permissions

Minimum required permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:region:account:secret:*"
        }
    ]
}

License

MIT

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Support

If you encounter any issues or have questions, please open an issue on GitHub.