Recipe

AWS Secrets Manager integration

Rotate Nimbus license secrets via AWS Secrets Manager with automatic Lambda-driven refresh and VPC-private endpoint access.

Overview

Store your Nimbus API key and signing secret in AWS Secrets Manager. A scheduled Lambda rotates the secret every 30 days and pushes the new value to your loader CDN via a signed webhook.

Prerequisites

AWS account with IAM permissions for Secrets Manager
Nimbus API key with secret:write scope
VPC endpoint for Secrets Manager (optional, recommended)

Step 1 — Create the secret

Navigate to AWS Secrets Manager and choose Store a new secret. Select Other type of secret and add two key-value pairs:

{
  "NIMBUS_API_KEY": "nk_live_...",
  "NIMBUS_SIGNING_SECRET": "ss_live_..."
}

Step 2 — Lambda rotation

Attach the Nimbus rotation Lambda from the SAR catalog. It calls the Nimbus API to generate a fresh key pair, updates the secret version, and signals your CDN edge to invalidate the old payload.

Step 3 — Verify

Trigger a manual rotation and check CloudWatch logs for the SECRET_ROTATED event. Your loader will fetch the updated payload on the next heartbeat.

Next steps

Read the API reference for the complete secret rotation endpoint specification.