Recall from Chapter 8, that the Django framework that powers the todobackend application requires an environment variable called SECRET_KEY to be configured, which is used for various cryptographic operations. Earlier in this chapter, when you created the todobackend/credentials secret, you only created a single key/value pair for the MYSQL_PASSWORD variable that is used for the database password.
Let's see how we can now update the todobackend/credentials secret to add in a value for the SECRET_KEY variable. You can update secrets by running the aws secretsmanager update-secret command, referencing the ID of the secret and specifying the new secret value:
> aws secretsmanager get-random-password --password-length 50 --exclude-characters "'\""
{
"RandomPassword": "E2]eTfO~8Z5)&0SlR-&XQf=yA:B(`,p.B#R6d]a~X-vf?%%/wY"
}
> aws secretsmanager update-secret --secret-id todobackend/credentials \
--kms-key-id alias/secrets-key \
--secret-string '{
"MYSQL_PASSWORD":"some-super-secret-password",
"SECRET_KEY": "E2]eTfO~8Z5)&0SlR-&XQf=yA:B(`,p.B#R6d]a~X-vf?%%/wY"
}'
{
"ARN": "arn:aws:secretsmanager:us-east-1:385605022855:secret:todobackend/credentials-f7AQlO",
"Name": "todobackend/credentials",
"VersionId": "cd258b90-d108-4a06-b0f2-849be15f9c33"
}
In the preceding example, notice that you can use the aws secretsmanager get-random-password command to generate a random password for you, which is ideal for the SECRET_KEY variable. It is important that you exclude quote and quotation characters using the --exclude-characters from this secret, as these characters will generally cause problems with bash scripts that process these values.
You then run the aws secretsmanager update-secret command, specifying the correct KMS key ID and providing an updated JSON object that includes both the MYSQL_PASSWORD and SECRET_KEY key/value pairs.