Skip to main content

AWS Secrets Manager

env-secrets supports pulling a single JSON secret from AWS Secrets Manager, mapping each top-level key to an environment variable.

It also supports secret lifecycle operations with env-secrets aws secret <command>.

Use:

  • env-secrets aws -s <secret-name> -- <command> to fetch/inject secret values while running a command (or use -o <file> to write env vars to a file).
  • env-secrets aws secret <command> for lifecycle operations (create, update, append, remove, upsert/import, list, get, delete).

Create a secret (JSON)

aws secretsmanager create-secret   --region us-east-1   --name local/sample   --secret-string '{"user":"marka","password":"mypassword"}'

Run a command with injected vars

env-secrets aws -s local/sample -r us-east-1 -- echo $user/$password

Parameters

  • -s, --secretrequired secret name/id
  • -r, --region — AWS region (or AWS_DEFAULT_REGION)
  • -p, --profile — AWS profile to use

Inject into current shell

By default, variables are injected into the spawned child process only. To load variables into your current shell session:

env-secrets aws -s local/sample -r us-east-1 -o secrets.env
source secrets.env

Secret Management Commands

# Create
env-secrets aws secret create -n app/dev/api -v '{"API_KEY":"abc123"}' --output json

# Create from stdin
echo -n 'super-secret-value' | env-secrets aws secret create -n app/dev/raw --value-stdin

# Update
env-secrets aws secret update -n app/dev/api -v '{"API_KEY":"rotated"}'

# Append/remove keys on JSON secret
env-secrets aws secret append -n app/dev/api --key JIRA_EMAIL_TOKEN -v blah
env-secrets aws secret remove -n app/dev/api --key OLD_TOKEN

# Upsert/import from env file
env-secrets aws secret upsert --file .env --name app/dev --output json

# Result: one secret named app/dev with SecretString JSON:
# {"API_KEY":"abc123","DATABASE_URL":"postgres://..."}

# List
env-secrets aws secret list --prefix app/dev --output table

# Get metadata (does not print secret value)
env-secrets aws secret get -n app/dev/api --output json

# Delete (requires --yes)
env-secrets aws secret delete -n app/dev/raw --recovery-days 7 --yes

Supported commands:

  • create with --value, --value-stdin, or --file
  • update with value and/or metadata changes
  • append / remove for key-level edits on JSON object secrets
  • upsert/import from env files containing export KEY=value or KEY=value, stored as one JSON secret via --name
  • list with optional prefix/tag filters
  • get for metadata/version details
  • delete with recovery window or force-delete flags

Tips

  • Use DEBUG=env-secrets,env-secrets:secretsmanager for verbose logs.
  • Prefer least-privilege IAM (secretsmanager:GetSecretValue).