AWS Secrets Manager

env-secrets supports pulling a single JSON secret from AWS Secrets Manager, mapping each top-level key to an environment variable.

It also supports secret lifecycle operations with env-secrets aws secret <command>.

Use:

env-secrets aws -s <secret-name> -- <command> to fetch/inject secret values while running a command (or use -o <file> to write env vars to a file).
env-secrets aws secret <command> for lifecycle operations (create, update, append, remove, upsert/import, list, get, value, delete).

Create a secret (JSON)

aws secretsmanager create-secret \
  --region us-east-1 \
  --name local/sample \
  --secret-string '{"user":"marka","password":"mypassword"}'

Run a command with injected vars

env-secrets aws -s local/sample -r us-east-1 -- echo $user/$password

Parameters

-s, --secret — required secret name/id
-r, --region — AWS region (or AWS_DEFAULT_REGION)
-p, --profile — AWS profile to use
-o, --output <file> — write export KEY=value lines to a file and exit (no program is executed; source the file to load variables into your current shell)
--no-shell — run the program directly without a shell wrapper (disables shell expansion)

Inject into current shell

By default, variables are injected into the spawned child process only. To load variables into your current shell session:

env-secrets aws -s local/sample -r us-east-1 -o secrets.env
source secrets.env

Secret Management Commands

# Create
env-secrets aws secret create -n app/dev/api -v '{"API_KEY":"abc123"}' --output json

# Create from stdin
echo -n 'super-secret-value' | env-secrets aws secret create -n app/dev/raw --value-stdin

# Update
env-secrets aws secret update -n app/dev/api -v '{"API_KEY":"rotated"}'

# Append/remove keys on JSON secret
env-secrets aws secret append -n app/dev/api --key JIRA_EMAIL_TOKEN -v blah
env-secrets aws secret remove -n app/dev/api --key OLD_TOKEN

# Upsert/import from env file
env-secrets aws secret upsert --file .env --name app/dev --output json

# Result: one secret named app/dev with SecretString JSON:
# {"API_KEY":"abc123","DATABASE_URL":"postgres://..."}

# List
env-secrets aws secret list --prefix app/dev --output table

# Get metadata (does not print secret value)
env-secrets aws secret get -n app/dev/api --output json

# Get secret values (masked by default in table output)
env-secrets aws secret value -n app/dev/api

# Reveal actual values (warning printed to stderr)
env-secrets aws secret value -n app/dev/api --reveal

# Get values as JSON (always returns full values)
env-secrets aws secret value -n app/dev/api --output json

# Delete (requires --yes; use one of the two options below)
env-secrets aws secret delete -n app/dev/raw --recovery-days 7 --yes
env-secrets aws secret delete -n app/dev/raw --force-delete-without-recovery --yes

Supported commands:

create with --value, --value-stdin, or --file
update with value and/or metadata changes
append / remove for key-level edits on JSON object secrets
upsert/import from env files containing export KEY=value or KEY=value, stored as one JSON secret via --name
list with optional prefix/tag filters
get for metadata/version details (does not print secret values)
value to retrieve secret values: masked by default in table output, --reveal opt-in, JSON output always returns full values
delete with --recovery-days <7-30> or --force-delete-without-recovery, and required --yes

Tips

Use DEBUG=env-secrets,env-secrets:secretsmanager for verbose logs.
Prefer least-privilege IAM (secretsmanager:GetSecretValue).

Create a secret (JSON)​

Run a command with injected vars​

Parameters​

Inject into current shell​

Secret Management Commands​

Tips​