Note:

This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Migrate Secrets from AWS Secrets Manager to Oracle Cloud Infrastructure Secrets in Vault

Introduction

Benefits when migrating secrets from Amazon Web Services (AWS) to Oracle Cloud Infrastructure (OCI):

Centralized Secret Management: If you are already using OCI for infrastructure, then keeping all your secrets in OCI Vault can simplify management by ensuring security policies are consistent.
Compliance and Security: OCI Vault integrates with many OCI’s services where customer-managed control is needed by providing encryption with custom keys, access controls, and audit logs.
Cost Consideration: OCI Vault’s pricing and storage options may be more cost-effective compared to AWS Secrets Manager, depending on your usage.

Supported Secret Types in OCI Vault

The OCI Secrets service supports any type of secret, including PASSPHRASE, SSH_KEY, and BYTES. While these are types that can be auto-generated by OCI, when creating secrets manually, you are not limited to these types. Ensure that the secret types in AWS correspond to formats accepted by OCI. For more information,see Managing Vault Secrets.
The OCI Vault requires secret content to be in base64 format, which ensures safe storage of binary data.

Objectives

This tutorial demonstrates how to migrate secrets stored in AWS Secrets Manager to OCI Vault using Python. You will learn how to retrieve secrets from AWS and securely store them in OCI Secrets in Vault with base64 encoding.

Prerequisites

AWS and OCI SDKs: Ensure boto3 and oci libraries are installed in your environment. These are the official SDKs for AWS and OCI respectively. Run the following command for installation.
```
pip install boto3 oci
```
OCI Vault Setup:
- Vault ID: The unique identifier of the OCI Vault where the secret will be stored.
- Key ID: An encryption key to encrypt the secret in the OCI Vault.
- Compartment ID: The OCI compartment where the vault resides.
AWS Credentials: Ensure you have AWS credentials properly configured in OCI Cloud Shell or OCI CLI, using aws configure or through environment variables. For more information, see Authenticating using IAM user credentials for the AWS CLI.
OCI Configuration: Ensure your ~/.oci/config is correctly set up using OCI Cloud Shell or OCI CLI with your OCI credentials. For more information, see Installing the CLI.

Migrate Secrets from AWS to OCI

Retrieve and view AWS secrets. To migrate secrets from AWS, first ensure you have a list of the secrets to be transferred. In this example, we are migrating two secrets: awssecret4 and awssecret5.

The following screenshot shows the secrets in AWS Secrets Manager before migration.
Create a vault and encryption key in OCI. To set up an OCI Vault and key for encrypting secrets, see Creating a Master Encryption Key.

Use Python script to migrate secrets. Download and save the following Python script as aws_to_oci_secret_migration.py. The script automates the process of retrieving AWS secrets and storing them in OCI Vault.

Note: Replace placeholders like your_aws_secret1, your_aws_region, your_oci_vault_id and so on, with your actual values. The prefix specified will be used to create the secrets in the vault, helping to isolate the creation of secrets using the script.

Script:

import boto3  # AWS SDK to interact with AWS services
import oci  # OCI SDK to interact with Oracle Cloud
import base64  # To handle base64 encoding
from botocore.exceptions import ClientError  # For handling errors with AWS

# AWS configuration
AWS_SECRET_NAMES = ["your_aws_secret1", "your_aws_secret2"]  # List of AWS secrets to migrate
AWS_REGION = "your_aws_region"  # AWS region where the secrets are stored

# OCI configuration
VAULT_ID = "your_oci_vault_id"  # OCI Vault ID
COMPARTMENT_ID = "your_oci_compartment_id"  # OCI Compartment ID
KEY_ID = "your_oci_key_id"  # OCI Key ID
OCI_SECRET_NAME_PREFIX = "your_prefix"  # Prefix for the secret names in OCI Vault

def get_aws_secret(secret_name):
    """Retrieve the secret value from AWS Secrets Manager."""
    session = boto3.session.Session()  # Create a session with AWS
    client = session.client(service_name='secretsmanager', region_name=AWS_REGION)  # Create a Secrets Manager client

    try:
        # Get the secret value
        get_secret_value_response = client.get_secret_value(SecretId=secret_name)
        secret = get_secret_value_response['SecretString']  # This is the actual secret data
        return secret
    except ClientError as e:
        print(f"Error retrieving secret from AWS: {e}")  # In case something goes wrong
        return None

def create_oci_secret(secret_content, secret_name):
    """Create a new secret in OCI Vault."""
    config = oci.config.from_file()  # This loads your OCI configuration from ~/.oci/config
    vaults_client = oci.vault.VaultsClient(config)  # Use the VaultsClient to create a secret in OCI Vault

    # Encode secret content to Base64 format
    secret_content_base64 = base64.b64encode(secret_content.encode('utf-8')).decode('utf-8')  # Proper base64 encoding

    try:
        # Creating a new secret in OCI Vault
        create_secret_response = vaults_client.create_secret(
            create_secret_details=oci.vault.models.CreateSecretDetails(
                vault_id=VAULT_ID,
                compartment_id=COMPARTMENT_ID,
                secret_name=secret_name,
                key_id=KEY_ID,
                secret_content=oci.vault.models.Base64SecretContentDetails(
                    content=secret_content_base64,  # Base64 encoded content
                    content_type="BASE64"  # Specifying the content type as BASE64
                ),
                description="Migrated from AWS Secrets Manager"  # A brief description
            )
        )
        print(f"Secret '{secret_name}' successfully created in OCI Vault.")
    except oci.exceptions.ServiceError as e:
        print(f"Error creating secret in OCI Vault: {e}")  # If something goes wrong

def main():
    # Step 1: Retrieve and migrate secrets from AWS Secrets Manager
    for aws_secret_name in AWS_SECRET_NAMES:
        aws_secret_content = get_aws_secret(aws_secret_name)

        if aws_secret_content:
            # Generate OCI secret name based on AWS secret name
            oci_secret_name = f"{OCI_SECRET_NAME_PREFIX}_{aws_secret_name}"
            # Step 2: Create the secret in OCI Vault
            create_oci_secret(aws_secret_content, oci_secret_name)

if __name__ == "__main__":
    main()

Once the script is saved, run it with the following command.
```
python3 aws_to_oci_secret_migration.py
```
After successfully running the script, you can verify the newly created secrets in the OCI Vault.

Next Steps

Migrating secrets from AWS to OCI can help streamline your operations, especially if you are leveraging OCI for the rest of your cloud infrastructure. By using Python automation, you can efficiently transfer secrets, ensuring they are securely stored and compliant with OCI’s encryption standards.

Acknowledgments

Author - Vishak Chittuvalapil (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

Title and Copyright Information

Migrate Secrets from AWS Secrets Manager to Oracle Cloud Infrastructure Secrets in Vault

G17318-02

October 2024

Oracle and/or its affiliates.