aws-secretsmanager

Show secrets stored by the secrets manager in the current account

$ aws secretsmanager list-secrets

$ aws secretsmanager list-secrets --query 'SecretList[*].{Name: Name, ARN: ARN}'

$ aws secretsmanager create-secret --name [name] --description "[secret_description]" --secret-string '[secret]'

$ aws secretsmanager delete-secret --secret-id [name|arn]

$ aws secretsmanager describe-secret --secret-id [name|arn]

$ aws secretsmanager get-secret-value --secret-id [name|arn] --version-stage [version_of_secret]

$ aws secretsmanager rotate-secret --secret-id [name|arn] --rotation-lambda-arn [arn_of_lambda_function]

$ aws secretsmanager rotate-secret --secret-id [name|arn] --rotation-lambda-arn [arn_of_lambda_function] --rotation-rules AutomaticallyAfterDays=[30]

aws secretsmanager subcommand [options]

Examples of common subcommands:
aws secretsmanager create-secret [--name value] [--secret-string value]
aws secretsmanager get-secret-value [--secret-id value]
aws secretsmanager list-secrets
aws secretsmanager rotate-secret [--secret-id value]
aws secretsmanager delete-secret [--secret-id value]

--region value
    Specifies the AWS region to send the request to (e.g., us-east-1). Overrides the default region configured for the profile.

--output value
    Specifies the output format: json, text, or table. Defaults to json.

--profile value
    Specifies the named profile to use for the command. Useful when managing multiple AWS accounts or roles.

--secret-id value
    A common parameter used by many secretsmanager subcommands. It specifies the ARN or the name of the secret to operate on.

--secret-string value
    Used by create-secret and update-secret. The text of the secret. Can be plain text or a JSON string. If it's a JSON string, it must be valid JSON.

--name value
    Used by create-secret to specify a friendly name for the new secret.

Subcommand Specific Parameters
    Each secretsmanager subcommand (e.g., get-secret-value, create-secret, update-secret) has its own set of specific parameters required for its operation. These are detailed in the AWS CLI documentation for each subcommand.

The aws secretsmanager command, part of the AWS Command Line Interface (CLI), provides a powerful interface for interacting with the AWS Secrets Manager service directly from your terminal.

AWS Secrets Manager is a dedicated service designed to help you securely store, manage, and retrieve credentials, API keys, and other sensitive information throughout their lifecycle. It offers features like automatic rotation of secrets, fine-grained access control through AWS Identity and Access Management (IAM), and integration with various AWS services.

Using the aws secretsmanager CLI subcommands, developers and administrators can programmatically perform operations such as creating new secrets, retrieving secret values, updating secret configurations, deleting secrets, configuring automatic rotation, and managing resource policies. This command-line access facilitates automation, scripting, and integration into CI/CD pipelines, enabling organizations to improve their security posture by minimizing hardcoded credentials and centralizing secret management.

1. AWS CLI Installation and Configuration: The aws secretsmanager command requires the AWS Command Line Interface (CLI) to be installed and properly configured with AWS credentials and a default region.
2. IAM Permissions: The AWS identity (user or role) executing the command must have the necessary IAM permissions to perform the requested Secrets Manager operations (e.g., secretsmanager:GetSecretValue, secretsmanager:CreateSecret). Lack of permissions will result in 'Access Denied' errors.
3. Network Connectivity: Requires outbound internet connectivity to AWS endpoints for the Secrets Manager service.
4. JSON Handling: Many Secrets Manager operations involve inputting or outputting JSON data. Familiarity with JSON parsing and construction (e.g., using jq) is often beneficial for scripting.

To retrieve the value of a secret named my-application-db-creds:

aws secretsmanager get-secret-value --secret-id my-application-db-creds --query SecretString --output text

To create a new secret named api-key-service-x with a simple string value:

aws secretsmanager create-secret --name api-key-service-x --secret-string '{"username":"admin","password":"supersecurepassword"}'

Access to Secrets Manager is controlled by IAM policies. Key actions include:

• secretsmanager:GetSecretValue: Allows retrieving a secret's value.
• secretsmanager:CreateSecret: Allows creating new secrets.
• secretsmanager:UpdateSecret: Allows modifying existing secrets.
• secretsmanager:DeleteSecret: Allows deleting secrets.
• secretsmanager:RotateSecret: Allows initiating secret rotation.

The AWS Secrets Manager service was publicly launched by Amazon Web Services (AWS) in April 2018. Its introduction addressed the growing need for a centralized, secure, and automated solution for managing database credentials, API keys, and other sensitive information that applications and services rely on.

Shortly after the service's launch, corresponding support was integrated into the AWS Command Line Interface (CLI), allowing users to interact with Secrets Manager programmatically and integrate secret management into their automation workflows. Since then, AWS has continually enhanced the service and its CLI capabilities, adding features such as improved rotation options, cross-account secret sharing, and integration with more AWS services, solidifying its role as a core component of AWS security best practices.

aws(1) - The main AWS Command Line Interface entry point., jq(1) - A lightweight and flexible command-line JSON processor, often used to parse output from AWS CLI commands., aws kms(1) - AWS Key Management Service, often used in conjunction with Secrets Manager for encryption., aws iam(1) - AWS Identity and Access Management, for managing permissions related to Secrets Manager access.