The question is, how to easily fetch sensitive information from AWS Secret Manager within Bash scripts?To get the response form aws cli command it's quite straightforward:
json_value=$(aws secretsmanager get-secret-value --secret-id "$1")
The problem is, the response is returned in json format, and it will take some space to deserialize and parse all the parameters. Is there any easy way to do it?
If you have stored the secrets as simple strings, you can retrieve them using
aws secretsmanager get-secret-value --secret-id "$SECRET_ID" --query "SecretString" --output text
jq tool for this purpose, see stackoverflow.com/questions/50911540/…I know it's Q&A, just wanted to share with you very handy bash function to get all the information in a very convenient way(python on instance required).
# Usage Ex. exportSecrets <Secrets-Name> <Key-Name-1> <Key-Name-2>...
exportSecrets() {
local json_value;
json_value=$(aws secretsmanager get-secret-value --secret-id "$1")
echo "------->"
printf "Secrets RESULT. Json: \n%s\n" "$json_value"
shift; local json_keys=("$@")
fetchJson() {
python - "$json_value" "$json_keys" <<EOF
import json, sys
secrets = json.loads(json.loads(
sys.argv[1])['SecretString']
)
ans = []
for k in sys.argv[2].split(' '):
ans.append(secrets[k])
print(' '.join(ans))
EOF
}
SECRETS=$(fetchJson)
echo "------->"
printf "Resolved Secrets: \n%s\n" "$SECRETS"
}
Now with above, you can simple call the function with params and get back exported variable with response in list for next usage.
exportSecrets "YOUR-KEY-STORAGE" "KEY-NAME-1" "KEY-NAME-2"
local key1=$(echo $SECRETS | cut -d' ' -f1)
echo $key1
local key2=$(echo $SECRETS | cut -d' ' -f2)
echo $key2