Parsing secrets from AWS secrets manager using AWS cli

linux amazon-web-services aws-cli aws-secrets-manager
36,168

Solution 1

Use the --query option of the CLI to extract just the secret.

aws secretsmanager get-secret-value --secret-id secrets --query SecretString --output text

Solution 2

aws secretsmanager get-secret-value --secret-id secrets| jq --raw-output '.SecretString' | jq -r .API_KEY

using jq you can print.

Solution 3

Small addition to helloV answer. You can add the output parameter text to remove the quotes.

aws secretsmanager get-secret-value \
   --secret-id secrets \
   --query SecretString \
   --output text

Solution 4

When you have multiple secret and you get json return, you can use get the exact value of password by using 

aws secretsmanager get-secret-value --secret-id <secret_bucket_name> | jq --raw-output '.SecretString' | jq -r .key_for_password

Solution 5

So I faced a bit of trouble in extracting what I needed, the value for my two variables that I stored in SecretsManager. So here is what worked for me.

NOTE: It's an example from the AWS SecretsManager doc.

I ran this

aws secretsmanager get-secret-value --secret-id MyTestDatabaseSecret --version-stage AWSPREVIOUS

The response of this query is:

{
  "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3",
  "Name": "MyTestDatabaseSecret",
  "VersionId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE",
  "SecretString": "{\n  \"username\":\"david\",\n  \"password\":\"BnQw&XDWgaEeT9XGTT29\"\n}\n",
  "VersionStages": [
    "AWSPREVIOUS"
  ],
  "CreatedDate": 1523477145.713
}

Now I want to get the value of username or password to be precise

aws secretsmanager get-secret-value --secret-id MyTestDatabaseSecret --version-stage AWSPREVIOUS | jq --raw-output .SecretString | jq -r ."password"

Output

BnQw&XDWgaEeT9XGTT29
Share:
36,168
Moddaman
Author by

Moddaman

**Hi! I'am from Norway :)**

Updated on July 09, 2022

Comments

  • Moddaman
    Moddaman almost 2 years

    I am retrieving secrets I have stored in AWS secrets manager with the AWS cli like this:

    aws secretsmanager get-secret-value --secret-id secrets

    Which returns

    arn:aws:secretsmanager<ID>:secret:my_secrets <number> my_secrets {"API_KEY":"ABCDEFGHI"}       <UUID string>
VERSIONSTAGES   AWSCURRENT

    Does anyone know how I only get the secret ("API_KEY": "ABCDEFGHI")? I need to move these secrets to my register-task-definition environment variables. The best way would be to store them in a file and delete it after us or store them in variable. It is running on a linux machine.

  • Cale
    Cale over 5 years
    Is this no longer working? every secret is null for me
  • Cale
    Cale over 5 years
    Ah SecretString selectes the entire secret string, it is not used to match a secret key
  • Balaji Boggaram Ramanarayan
    Balaji Boggaram Ramanarayan almost 5 years
    jq is not a standard util
  • committedandroider
    committedandroider almost 5 years
    @caleb Just running the command resulted in that error or w -query did it work?
  • Aseem Jain
    Aseem Jain about 4 years
    jq is json utility for shell command. it helps to parse the Json and pull the attribute from the file.
  • crypdick
    crypdick over 3 years
    this is a copy-paste of this answer stackoverflow.com/a/52921217/4212158
  • Yann Stoneman
    Yann Stoneman about 3 years
    And if your secret has a dash, you can use: aws secretsmanager get-secret-value --secret-id my-secret --query SecretString --output text | jq '."my-secret"'
  • Yann Stoneman
    Yann Stoneman about 3 years
    Correction, to remove quotes in addition to making it work for a secret with a dash: aws secretsmanager get-secret-value --secret-id my-secret --query SecretString --output text | jq -r '."my-secret"'
  • GwenM
    GwenM about 3 years
    you're missing a "\" before the last }, like tr -d \"\}
  • Jon
    Jon about 3 years
    @GwenM not needed on GNU/Bash
  • GwenM
    GwenM about 3 years
    ah yeah you might be right, I was using ZSH on mac
  • Auro Sarma
    Auro Sarma about 3 years
    In my case, The password has '&' symbol and is converted to '\u0026'. Is there any workaround for this?
  • Ashish Karpe
    Ashish Karpe over 2 years
    I want to list all secrets and then get all values and run grep against it
  • Ashish Karpe
    Ashish Karpe over 2 years
    > aws secretsmanager get-secret-value --secret-id * is not working for me
  • thecloudguy
    thecloudguy over 2 years
    what is the error message? Do you have access rights to all? Are you passing the version number in your query? Instead of using * wild character, can you make a list of secret-id and then try to run a loop. First, try to run it for 10 odd secrets and then check to scale it up.
  • Ashish Karpe
    Ashish Karpe over 2 years
    github.com/ashishkarpe/scripts_aws_cli/blob/main/… have written script which worked for me thanks
  • thecloudguy
    thecloudguy over 2 years
    Did it work? You tested. If yes, then great. :)
  • Ashish Karpe
    Ashish Karpe over 2 years
    yes I tested it and it worked
  • Pierre
    Pierre over 2 years
    a good answer which doesn't require jq

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

I'm trying to use "aws s3 sync" on my EC2 instance. Is the '--exclude' option broken?
Bash with AWS CLI - unable to locate credentials
How Do I Clear The Credentials In AWS Configure?
How to display only files from aws s3 ls command?
How to upgrade AWS CLI to the latest version?
Bash script to install AWS CLI tools
Crontab is not working on Amazon EC2 server
Unable to find .aws directory
"The AWS Access Key Id you provided does not exist in our records." when trying to use AWS CLI
How do I use --query parameter in aws rds describe-db-instances command