Secrets Management
Secrets in AWS Secrets Manager
API Config Secrets
Each API has its own config secret containing database credentials, API keys, and service configuration:
| Secret ID | App | Key Contents |
|---|---|---|
statux/api-config | Statux Pages | DATABASE_, COGNITO_, SENTRY_DSN |
statux/alerts-api-config | Alerting | DATABASE_, COGNITO_, SENTRY_DSN, SLACK_, TWILIO_ |
statux/synthetics-api-config | Synthetics | DATABASE_, COGNITO_, SENTRY_DSN |
statux/insights-api-config | Insights | DATABASE_, COGNITO_, SENTRY_DSN, BEDROCK_* |
statux/platform-api-config | Platform | DATABASE_, COGNITO_, SENTRY_DSN |
Other Secrets
| Secret ID | Purpose |
|---|---|
statux/stripe-config | Stripe API keys and webhook secrets (loaded by Platform API) |
Common Keys Across All API Secrets
| Key | Description |
|---|---|
DATABASE_HOST | RDS endpoint |
DATABASE_PORT | PostgreSQL port (5432) |
DATABASE_USERNAME | DB user |
DATABASE_PASSWORD | DB password |
DATABASE_NAME | Database name (statux) |
COGNITO_USER_POOL_ID | us-east-1_75Rp4zNBg |
COGNITO_CLIENT_ID | 2u986rkhchk6mur28sgpt0bm8p |
COGNITO_REGION | us-east-1 |
SENTRY_DSN | Sentry error tracking DSN |
How Secrets Are Loaded
Each API loads secrets on startup via loadSecretsConfig() from @app/common:
- Fetches the JSON secret from Secrets Manager
- Merges with defaults into a config object
- Forwards
SENTRY_DSNtoprocess.envsoinitSentry()can read it
Email
Email is sent via AWS SES (not Resend). SES requires no API keys in secrets -- it uses the EC2 instance's IAM role for authentication. The @app/email library handles SES integration directly.
Accessing Secrets
aws secretsmanager get-secret-value \
--secret-id statux/api-config \
--query SecretString --output text
Pipe through jq for readable output:
aws secretsmanager get-secret-value \
--secret-id statux/api-config \
--query SecretString --output text | jq .
Updating Secrets
caution
After updating a secret, you must trigger an ASG instance refresh (or restart the containers) for the API to pick up the new values. Secrets are loaded once on startup.
# Read current values first
aws secretsmanager get-secret-value \
--secret-id statux/api-config \
--query SecretString --output text | jq .
# Update (replaces entire JSON -- include all keys)
aws secretsmanager update-secret \
--secret-id statux/api-config \
--secret-string '{ ... }'