node-red-contrib-aws-asm 2.0.0
A Node-RED node for AWS Secrets Manager operations
node-red-contrib-aws-asm
A production-ready Node-RED node for AWS Secrets Manager operations that retrieves secrets and stores them in Node-RED context or environment variables.
Features
- 🔐 Retrieve secrets from AWS Secrets Manager
- 🏗️ Flexible credential configuration (IAM roles, direct credentials, context variables)
- 📦 Store secrets in flow context, global context, or environment variables
- 🔄 Support for both JSON and string secrets
- 🎯 TypedInput support for dynamic secret IDs
- ⚡ Real-time credential resolution from context
- 🛡️ Production-ready with comprehensive error handling
Installation
Run the following command in your Node-RED user directory (typically ~/.node-red):
npm install node-red-contrib-aws-asm
After installation, restart Node-RED to load the new nodes.
Configuration
AWS Configuration Node
The module uses a configuration node that supports multiple authentication methods:
IAM Role Authentication (Recommended)
- ✅ Use when running on EC2 instances with IAM roles
- ✅ No credentials needed in Node-RED
- ✅ Automatic credential rotation
Access Key Authentication
Supports multiple credential sources:
- String: Stored securely in Node-RED credentials (encrypted)
- Flow Context: Retrieved from flow context variables
- Global Context: Retrieved from global context variables
- Environment Variables: Retrieved from environment variables
Examples
Environment-based Configuration
// Set environment variables
process.env.AWS_ACCESS_KEY_ID = "your-access-key";
process.env.AWS_SECRET_ACCESS_KEY = "your-secret-key";
// Configure node to use environment variables
Access Key ID: Environment Variable → AWS_ACCESS_KEY_ID
Secret Access Key: Environment Variable → AWS_SECRET_ACCESS_KEY
Mixed Configuration
// Store secret key in global context
global.set("aws_secret", "your-secret-access-key");
// Configure node
Access Key ID: String → stored securely in Node-RED
Secret Access Key: Global Context → aws_secret
Usage
Basic Usage
Create AWS Configuration
- Add an "aws-secret-manager-config" node
- Configure your AWS region and credentials
Add Secrets Manager Node
- Drag "aws-secret-manager" node to your flow
- Select your AWS configuration
- Configure secret ID and storage options
Configure Secret ID The Secret ID supports multiple input types:
- String: Direct secret name or ARN
- Message: From
msg.payload.secretIdormsg.secretId - Flow Context: From flow context variable
- Global Context: From global context variable
- Environment Variable: From environment variable
Storage Options
Flow Context
// Store in flow context
storeIn: "flow"
variableName: "dbCredentials"
// Access later
const credentials = flow.get("dbCredentials");
Global Context
// Store in global context
storeIn: "global"
variableName: "dbCredentials"
// Access later
const credentials = global.get("dbCredentials");
Environment Variables
// For JSON secrets like: {"DB_HOST":"localhost","DB_USER":"admin"}
storeIn: "env"
// Each key becomes an environment variable automatically:
// process.env.DB_HOST = "localhost"
// process.env.DB_USER = "admin"
// No Variable Name needed - each JSON key becomes a separate env var
Output Data
// Send secret directly to output
storeIn: "output"
// msg.payload will contain the secret value
Example Flow
[
{
"id": "inject-node",
"type": "inject",
"payload": "{}",
"wires": [["secrets-node"]]
},
{
"id": "secrets-node",
"type": "aws-secret-manager",
"awsConfig": "aws-config",
"secretId": "my-database-secret",
"secretIdType": "str",
"storeIn": "global",
"variableName": "dbCredentials",
"wires": [["debug-node"]]
}
]
Input
Message Properties
msg.secretId(optional): Secret ID if not configured in node
Example Input
msg = {
secretId: "my-secret-name"
}
Output
Success Response (when storing in context/env)
msg = {
payload: {
status: "Secret stored successfully",
secretId: "my-secret-name"
}
}
Success Response (when outputting data)
msg = {
payload: {
username: "admin",
password: "secret123",
host: "database.example.com"
}
}
Error Response
msg = {
payload: {
error: "Error message"
}
}
Security Best Practices
- ✅ Use IAM roles when possible (recommended for EC2 instances)
- ✅ Store credentials in context variables rather than hardcoding
- ✅ Use environment variables for sensitive configuration
- ✅ Rotate access keys regularly
- ✅ Follow the principle of least privilege
- ✅ Enable AWS CloudTrail for audit logging
Error Handling
The node provides comprehensive error handling:
- Configuration errors: Missing or invalid AWS configuration
- Authentication errors: Invalid credentials or permissions
- Secret not found: Invalid secret ID or insufficient permissions
- Network errors: Connection issues with AWS
All errors are logged and sent in the message payload for downstream processing.
Requirements
- Node.js >= 12.0.0
- Node-RED >= 2.0.0
- AWS account with Secrets Manager access
- Appropriate IAM permissions
IAM Permissions
Minimum required permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:region:account:secret:*"
}
]
}
License
MIT
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Support
If you encounter any issues or have questions, please open an issue on GitHub.
