Skip to content

Secrets manifest

This page lists every secret that must exist in AWS Secrets Manager before any module deployment pipeline will succeed. A missing secret causes silent or cryptic failures — the pipeline does not pre-check for secrets, but the first Lambda invocation that needs one will fail immediately.

Resolves gap: GAP-D04 — No secrets manifest.

Naming convention: /bank/{env}/{domain}/{secret-name} where {env} is dev, uat, or prod.

All secrets are managed by MOD-045 (Secrets & key management). Rotation schedules are configured in Secrets Manager rotation policies at provisioning time.

Pre-deployment requirement

All secrets in this manifest must be provisioned in all target environments before running any module deployment pipeline. Provision secrets first; deploy modules second. There is no partial-secrets mode — a module that cannot read its required secret at cold-start will fail and may affect dependent modules.

Core banking (SD01 — bank-core)

Secret path Contents Consuming modules Initial value source Auto-rotates
/bank/{env}/core/neon-db-url PgBouncer connection string for bank_core database (app role, pooled) MOD-001 through MOD-016 and all SD01 modules Neon dashboard → connection string for bank_core prod branch Yes — 90 days
/bank/{env}/core/neon-db-migrate-url Direct (non-pooled) connection string for Flyway migrations Migration pipeline only — not Lambda functions Neon dashboard → direct connection string for bank_core prod branch No — manual on branch change

Notes: - The neon-db-url uses PgBouncer (pooled). Lambda functions must use this path, not the direct connection string. - The neon-db-migrate-url bypasses PgBouncer and is required for DDL operations. Never use this in application code. - Rotation of neon-db-url triggers a Neon password rotation; the new credentials are written back to Secrets Manager automatically by the rotation Lambda.

KYC platform (SD02 — bank-kyc)

Secret path Contents Consuming modules Initial value source Auto-rotates
/bank/{env}/kyc/neon-db-url PgBouncer connection string for bank_kyc database (app role, pooled) All SD02 modules Neon dashboard → bank_kyc prod branch Yes — 90 days
/bank/{env}/kyc/neon-db-migrate-url Direct connection string for Flyway migrations against bank_kyc Migration pipeline only Neon dashboard → direct connection for bank_kyc No — manual on branch change
/bank/{env}/kyc/eidv-api-key eIDV provider API key — GreenID AU (production) / Frankie One (AU/NZ) MOD-009 (eIDV & document verification) Third-party provider portal — provisioned manually No — manual rotation on provider request
/bank/{env}/kyc/document-ocr-api-key Document OCR provider API key for passport and driver licence scanning MOD-009, MOD-010 Third-party provider portal — provisioned manually No — manual rotation

Notes: - eidv-api-key differs between AU and NZ deployments. For an NZ-only client, this will be the Frankie One NZ key. For AU-only, the GreenID AU key. For NZ+AU, both providers must be configured — consult the module documentation for how to pass multi-provider configuration. - eIDV keys are environment-specific: the provider issues separate sandbox keys for dev/uat and production keys for prod.

AML monitoring (SD03 — bank-aml)

Secret path Contents Consuming modules Initial value source Auto-rotates
/bank/{env}/aml/neon-db-url PgBouncer connection string for bank_aml database All SD03 modules Neon dashboard → bank_aml prod branch Yes — 90 days
/bank/{env}/aml/neon-db-migrate-url Direct connection string for Flyway migrations against bank_aml Migration pipeline only Neon dashboard → direct connection for bank_aml No
/bank/{env}/aml/sanctions-list-api-key Dow Jones Watchlist / Refinitiv World-Check sanctions feed API key MOD-034 (sanctions screening), MOD-035 (PEP screening) Dow Jones / Refinitiv client portal — provisioned manually No — manual rotation annually
/bank/{env}/aml/fiu-submission-key-au AUSTRAC ECDD/TTR submission API credentials (AU only — not required for NZ-only clients) MOD-038 (AUSTRAC reporting) AUSTRAC Regulatory Portal — government-issued No — manual rotation per AUSTRAC schedule
/bank/{env}/aml/fiu-submission-key-nz FIU NZ goAML submission API credentials (NZ only — not required for AU-only clients) MOD-039 (FIU NZ reporting) New Zealand Police FIU — government-issued No — manual rotation per FIU NZ schedule

Notes: - fiu-submission-key-au and fiu-submission-key-nz are government-issued credentials. Rotation requires a formal request to the relevant regulator. Lead time for new credentials can be 2–4 weeks — do not let these lapse. - Sanctions feed keys should be provisioned even in dev and uat — the provider issues sandbox credentials. Do not use production keys in non-production environments.

Payments (SD04 — bank-payments)

Secret path Contents Consuming modules Initial value source Auto-rotates
/bank/{env}/payments/neon-db-url PgBouncer connection string for bank_payments database All SD04 modules Neon dashboard → bank_payments prod branch Yes — 90 days
/bank/{env}/payments/neon-db-migrate-url Direct connection for Flyway migrations against bank_payments Migration pipeline only Neon dashboard No
/bank/{env}/payments/bpay-api-key BPAY API credentials — billers and payment initiation (AU only) MOD-052 (BPAY), MOD-053 (BPAY reconciliation) BPAY Group participant portal — provisioned manually No — manual rotation annually
/bank/{env}/payments/npp-client-cert NPP client certificate PEM for PayTo and Osko (AU only) MOD-054 (NPP/Osko), MOD-055 (PayTo) NPP Australia — issued via NPPA onboarding process No — manual rotation per NPPA schedule (typically 2 years)
/bank/{env}/payments/swift-api-key SWIFT Alliance Lite 2 API credentials for cross-border payments MOD-056 (SWIFT cross-border) SWIFT Alliance Lite portal — provisioned after SWIFT membership No — manual rotation per SWIFT schedule
/bank/{env}/payments/nz-payments-api-key NZ faster payments / Payments NZ API key (NZ only) MOD-057 (NZ faster payments) Payments NZ participant portal — provisioned manually No — manual rotation
/bank/{env}/payments/fx-provider-api-key FX rate provider API key (e.g. Open Exchange Rates, Wise) for rate feed MOD-060 (FX rates), MOD-056 FX rate provider portal — provisioned manually No — manual rotation

Notes: - bpay-api-key and npp-client-cert are AU-only. For NZ-only clients, these paths do not need to exist, but leaving them empty causes no harm — modules check jurisdiction before attempting to read them. - The NPP client certificate (npp-client-cert) is stored as a PEM string (full cert + private key concatenated). Ensure the cert chain is complete. - SWIFT credentials are only required if the cross-border wallet product (PRD-009) is active.

Credit (SD05 — bank-credit)

Secret path Contents Consuming modules Initial value source Auto-rotates
/bank/{env}/credit/neon-db-url PgBouncer connection string for bank_credit database All SD05 modules Neon dashboard → bank_credit prod branch Yes — 90 days
/bank/{env}/credit/neon-db-migrate-url Direct connection for Flyway migrations against bank_credit Migration pipeline only Neon dashboard No
/bank/{env}/credit/equifax-au-api-key Equifax Australia credit bureau API key — comprehensive credit report (AU only) MOD-070 (credit assessment), MOD-071 (bureau refresh) Equifax AU partner portal — provisioned after credit licensee agreement No — manual rotation annually
/bank/{env}/credit/centrix-api-key Centrix NZ credit bureau API key — credit report and score (NZ only) MOD-070, MOD-071 Centrix NZ portal — provisioned after credit reporting agreement No — manual rotation annually
/bank/{env}/credit/illion-api-key Illion bank statement analysis API key — CDR-derived income/expense analysis MOD-072 (bank statement analysis), MOD-073 (affordability) Illion partner portal — provisioned manually No — manual rotation annually

Notes: - Credit bureau keys carry significant legal and contractual obligations. Provisioning requires a signed credit reporting agreement and privacy consent model in place. - equifax-au-api-key and centrix-api-key are bureau-specific to jurisdiction — provision only the key relevant to each client's jurisdiction. For NZ+AU clients, both are required. - Bureau sandbox credentials (for dev/uat) are issued separately from production credentials. Never use live bureau keys in non-production environments.

Risk platform (SD06 — bank-risk-platform / Snowflake)

Secret path Contents Consuming modules Initial value source Auto-rotates
/bank/{env}/risk/snowflake-connection-string Snowflake account URL and warehouse/database/role parameters All SD06 modules that write to Snowflake Snowflake admin — account details from Snowflake setup No — managed via key rotation
/bank/{env}/risk/snowflake-private-key RSA PEM private key for Snowflake key-pair authentication All SD06 modules that authenticate to Snowflake Generated locally (RSA 2048-bit); public key registered in Snowflake user profile No — manual rotation annually (generate new key pair, update Snowflake user, update this secret)

Notes: - Snowflake uses key-pair authentication (not username/password). The private key in Secrets Manager corresponds to a public key registered in the Snowflake user account. - The connection string contains: account identifier, database, warehouse, schema, and role — but not the key. The Lambda reads both secrets to form a full authenticated connection. - Key rotation procedure: generate a new RSA key pair → register new public key in Snowflake (Snowflake supports two active keys during rotation) → update snowflake-private-key → verify connection → remove old public key from Snowflake.

App platform (SD08 — bank-app)

Secret path Contents Consuming modules Initial value source Auto-rotates
/bank/{env}/app/neon-db-url PgBouncer connection string for bank_app database All SD08 modules Neon dashboard → bank_app prod branch Yes — 90 days
/bank/{env}/app/neon-db-migrate-url Direct connection for Flyway migrations against bank_app Migration pipeline only Neon dashboard No
/bank/{env}/app/push-notification-key APNs certificate (iOS) + FCM server key (Android), stored as JSON object with apns_cert and fcm_key properties MOD-105 (push notifications) Apple Developer Portal (APNs) + Google Firebase Console (FCM) No — manual rotation; APNs cert expires annually
/bank/{env}/app/card-bureau-api-key Card bureau API key — Cuscal (AU) / Monoova or equivalent (NZ) — for card issuance and management MOD-110 (card issuance), MOD-111 (card management) Card bureau partner portal — provisioned after card programme agreement No — manual rotation
/bank/{env}/app/sms-provider-api-key SMS OTP delivery provider API key (e.g. Twilio, MessageBird, AWS SNS SMS) MOD-106 (SMS OTP), MOD-107 (2FA) SMS provider portal — provisioned manually No — manual rotation annually

Notes: - The APNs certificate in push-notification-key is environment-specific: Apple issues separate sandbox and production certificates. Using the sandbox certificate in prod will silently fail to deliver notifications to real devices. - Card bureau provisioning requires completion of the card scheme (Visa/Mastercard) programme agreement and bureau onboarding. Lead time is typically 4–8 weeks.

Data platform (SD07 — bank-platform / Snowflake)

Secret path Contents Consuming modules Initial value source Auto-rotates
/bank/{env}/platform/snowflake-connection-string Snowflake account URL and connection parameters for data platform write access All SD07 Snowflake-writing modules (MOD-042 CDC, MOD-043 reporting) Snowflake admin No — managed via key rotation
/bank/{env}/platform/snowflake-private-key RSA PEM private key for Snowflake key-pair auth (data platform service account) All SD07 Snowflake-authenticating modules Generated locally; public key in Snowflake No — manual rotation annually
/bank/{env}/platform/reporting-submission-key RBNZ / APRA statistical reporting API credentials — JSON object with rbnz_key and apra_key properties MOD-043 (regulatory reporting), MOD-044 (APRA statistical) RBNZ and APRA regulator portals — government-issued No — manual rotation per regulator schedule

Notes: - The SD07 and SD06 Snowflake connection strings may point to the same Snowflake account but use different databases and roles. Do not share the SD06 and SD07 private keys — separate service accounts. - reporting-submission-key holds two sub-keys (RBNZ and APRA). For NZ-only clients, apra_key may be null. For AU-only clients, rbnz_key may be null. The reporting module checks for null and skips submissions to regulators not applicable to the client's jurisdiction.

Cognito (managed separately)

Cognito app client IDs and client secrets are not stored in AWS Secrets Manager. They are managed in Cognito directly and referenced by Lambda functions via SSM Parameter Store (non-secret config paths):

  • /bank/{env}/cognito/customer-pool-id — Cognito user pool ID for bank-customers-{env}
  • /bank/{env}/cognito/customer-app-client-id — App client ID for the mobile app
  • /bank/{env}/cognito/staff-pool-id — Cognito user pool ID for bank-staff-{env}
  • /bank/{env}/cognito/staff-app-client-id — App client ID for internal tools

App client secrets (where applicable) are stored in Secrets Manager at /bank/{env}/cognito/customer-app-client-secret and /bank/{env}/cognito/staff-app-client-secret.

Secret rotation procedures

Automated rotation (Neon database connections)

Neon database URL secrets are rotated on a 90-day schedule. The rotation Lambda:

  1. Generates a new Neon database password via the Neon API.
  2. Updates the secret value in Secrets Manager (new version becomes AWSPENDING).
  3. Verifies connectivity with the new credentials.
  4. Marks the new version as AWSCURRENT; old version becomes AWSPREVIOUS.
  5. Lambda functions pick up the new credentials at next cold start (or within the Secrets Manager SDK cache TTL — typically 5 minutes).

No manual intervention required unless the rotation Lambda itself fails. Check CloudWatch Logs for the rotation Lambda (function name: bank-{env}-secrets-rotate-neon) if a rotation alarm triggers.

Manual rotation (third-party API keys)

For secrets with no automated rotation:

  1. Obtain the new credential from the provider portal or regulator.
  2. Use the AWS CLI or console to create a new version of the secret: 
    aws secretsmanager put-secret-value \
  --secret-id /bank/prod/{domain}/{secret-name} \
  --secret-string "{new value}"
  3. Verify the new credential works by invoking the relevant Lambda function's health-check endpoint.
  4. Document the rotation in the change management system (reference the secret path and rotation date).
  5. Revoke the old credential in the provider portal after confirming the new one is working.

For Snowflake key-pair rotation specifically: the new public key must be registered in Snowflake before the old private key is removed from Secrets Manager. Snowflake supports two concurrent active keys to allow zero-downtime rotation.

Rotation failure response

If a rotation alarm fires in CloudWatch:

  1. Check the rotation Lambda logs for the specific error.
  2. Common causes: Neon API rate limit, network timeout, or permission error on the Secrets Manager rotation role.
  3. If the secret is in AWSPENDING state (rotation started but not completed), do not manually intervene yet — trigger a retry via aws secretsmanager rotate-secret --secret-id {path} --rotate-immediately.
  4. If Lambda functions are already failing due to a bad credential, roll back by setting AWSCURRENT to the AWSPREVIOUS version: 
    aws secretsmanager update-secret-version-stage \
  --secret-id {path} \
  --version-stage AWSCURRENT \
  --move-to-version-id {previous-version-id} \
  --remove-from-version-id {pending-version-id}