Parsing secrets from AWS secrets manager using AWS cli

30
votes

I am retrieving secrets I have stored in AWS secrets manager with the AWS cli like this:

aws secretsmanager get-secret-value --secret-id secrets

Which returns

arn:aws:secretsmanager<ID>:secret:my_secrets <number> my_secrets {"API_KEY":"ABCDEFGHI"}       <UUID string>
VERSIONSTAGES   AWSCURRENT

Does anyone know how I only get the secret ("API_KEY": "ABCDEFGHI")? I need to move these secrets to my register-task-definition environment variables. The best way would be to store them in a file and delete it after us or store them in variable. It is running on a linux machine.

8
linuxamazon-web-servicesaws-cliaws-secrets-manager

8 Answers

52
votes

Use the --query option of the CLI to extract just the secret.

aws secretsmanager get-secret-value --secret-id secrets --query SecretString --output text
20
votes

Small addition to helloV answer. You can add the output parameter text to remove the quotes.

aws secretsmanager get-secret-value \
   --secret-id secrets \
   --query SecretString \
   --output text
19
votes

aws secretsmanager get-secret-value --secret-id secrets| jq --raw-output '.SecretString' | jq -r .API_KEY

using jq you can print.

8
votes

When you have multiple secret and you get json return, you can use get the exact value of password by using 

aws secretsmanager get-secret-value --secret-id <secret_bucket_name> | jq --raw-output '.SecretString' | jq -r .key_for_password
3
votes

So I faced a bit of trouble in extracting what I needed, the value for my two variables that I stored in SecretsManager. So here is what worked for me.

NOTE: It's an example from the AWS SecretsManager doc.

I ran this

aws secretsmanager get-secret-value --secret-id MyTestDatabaseSecret --version-stage AWSPREVIOUS

The response of this query is:

{
  "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3",
  "Name": "MyTestDatabaseSecret",
  "VersionId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE",
  "SecretString": "{\n  \"username\":\"david\",\n  \"password\":\"BnQw&XDWgaEeT9XGTT29\"\n}\n",
  "VersionStages": [
    "AWSPREVIOUS"
  ],
  "CreatedDate": 1523477145.713
}

Now I want to get the value of username or password to be precise

aws secretsmanager get-secret-value --secret-id MyTestDatabaseSecret --version-stage AWSPREVIOUS | jq --raw-output .SecretString | jq -r ."password"

Output

BnQw&XDWgaEeT9XGTT29
2
votes

If your secret will only have one key/pair value, and you only want the value to be printed out, and you don't want to rely on your system having jq installed first, you can do:

aws secretsmanager get-secret-value --secret-id secrets --query SecretString --output text | cut -d: -f2 | tr -d \"}
0
votes

PowerShell solution without Jq

$a = aws secretsmanager get-secret-value --region <region> --secret-id <secret-name>  | ConvertFrom-Json

$a all json converted to objects type

Output

ARN           : xxxxxx
Name          : postgxxx
VersionId     : fxxxx-xx-x-xx
SecretString  : {"key":"value","key2":"value"}
VersionStages : {xxxxx}
CreatedDate   : xxxxx.xx

$b = $a.SecretString | ConvertFrom-Json

Output

key : value
key2 : value

$b.key

**Output** 
value
-3
votes

Use this to get just the value of the secret key. Make sure to fill in your secert ID and the key of the secret:

aws secretsmanager get-secret-value --secret-id <yourSecretID> | jq '.SecretString' | tail -c +2 | head -c -2 | tr -d '\' | jq .<YourSecretKey>