Extract Password from Secrets Manager via AWS Cli

30 September 2022

[aws]

Get the password value out of AWS Secrets Manager using the CLI

AWS has everything

AWS has a manager secrets vault called Secrets Manager. You can store things like passwords in it. Why would you put your passwords in AWS? Well, usually it would be because one of your apps needs to programmatically access it.

But sometimes you might want to access it in an ad-hoc way for yourself. AWS has everything, right? They have a nice cli. You can use the cli to get the passwords out of Secrets Manager... with some help.

The transform

The secrets are stored under identifiers, the secret-ids. You know which one you're looking for.

But the value returned by the cli is json if you ask for it with --output json. The json contains the password value. To get to the string of the password on the commandline, you need another tool to parse json. There's a nice tool for this called . So call aws and then pipe it through jq in something like this:

aws secretsmanager get-secret-value \
  --profile [myawsprofile] \
  --secret-id [myidkey] \
  --output json \
  | jq -r '.SecretString'

The next transform

But if you're like some folks, you might store your credentials as user password pairs or something. You can do that with json inside Secrets Manager. But when returned by the cli, it's stringified json. So you have to parse it and then traverse it. jq wins again with something like this:

aws secretsmanager get-secret-value \
  --profile [myawsprofile] \
  --secret-id [myidkey] \
  --output json \
  | jq -r '.SecretString | fromjson.password'

fromjson does the parsing and the .password traverses to the "password" field inside it.

Only 2 pipes, and you're done. How do you get password values out of AWS Secrets Manager?