Fetch & Store AWS Secrets Manager Secrets in JSON File

Published on

In this post, I’m going to describe how you can fetch secrets from AWS Secrets Manager and store them in a JSON file using PowerShell.

What is AWS Secrets Manager?

AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources without the upfront cost and complexity associated with managing your own hardware security module (HSM) infrastructure. You can rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Why Use PowerShell for Managing Secrets?

PowerShell is a powerful scripting language and automation framework commonly used by system administrators and developers. Using PowerShell to interact with AWS Secrets Manager allows you to automate the retrieval and management of secrets, ensuring that your applications always have access to the necessary credentials without hardcoding them into your codebase.

Setup

Before you start, ensure you have the following:

  1. AWS CLI configured with appropriate permissions.
  2. AWS PowerShell module installed.

To install the AWS PowerShell module, run the following command in PowerShell:

Install-Module -Name AWSPowerShell -Force

Fetching Secrets

Now we’re going to write a PowerShell script that fetches secrets from AWS Secrets Manager and stores them in a JSON file.

First, define the secrets you want to fetch. We’ll store these in an array for easy iteration.

$secrets = @(
    @{ Name = "mySecret1"; Region = "us-west-2" },
    @{ Name = "mySecret2"; Region = "us-east-1" }
)

Next, we create a function to fetch secrets from AWS Secrets Manager.

function Get-AWSSecret {
    param (
        [string]$SecretName,
        [string]$Region
    )

    try {
        $secretValue = Get-SECSecretValue -SecretId $SecretName -Region $Region
        if ($secretValue.SecretString) {
            return $secretValue.SecretString | ConvertFrom-Json
        } else {
            Write-Error "SecretString is empty for secret: $SecretName"
        }
    } catch {
        Write-Error "Failed to fetch secret: $_"
    }
}

Store Secrets in a Hashtable

We will iterate over the secrets array, fetch each secret, and store them in a hashtable.

$secretsHashTable = @{}

foreach ($secret in $secrets) {
    $secretValue = Get-AWSSecret -SecretName $secret.Name -Region $secret.Region
    if ($secretValue) {
        $secretsHashTable[$secret.Name] = $secretValue
    }
}

Convert to JSON and Save to File

Finally, convert the hashtable to JSON and save it to a file.

$secretsJson = $secretsHashTable | ConvertTo-Json -Depth 10
$outputFilePath = "C:\path\to\your\secrets.json"
$secretsJson | Out-File -FilePath $outputFilePath -Encoding utf8

Write-Host "Secrets have been saved to $outputFilePath"

Complete Script

Here is the complete script for fetching and storing secrets from AWS Secrets Manager.

# Load AWS PowerShell module
Import-Module AWSPowerShell

# Function to get secret from AWS Secrets Manager
function Get-AWSSecret {
    param (
        [string]$SecretName,
        [string]$Region
    )

    try {
        $secretValue = Get-SECSecretValue -SecretId $SecretName -Region $Region
        if ($secretValue.SecretString) {
            return $secretValue.SecretString | ConvertFrom-Json
        } else {
            Write-Error "SecretString is empty for secret: $SecretName"
        }
    } catch {
        Write-Error "Failed to fetch secret: $_"
    }
}

# Define the secrets you want to fetch
$secrets = @(
    @{ Name = "mySecret1"; Region = "us-west-2" },
    @{ Name = "mySecret2"; Region = "us-east-1" }
)

# Initialize an empty hashtable to store secrets
$secretsHashTable = @{}

# Fetch each secret and store in the hashtable
foreach ($secret in $secrets) {
    $secretValue = Get-AWSSecret -SecretName $secret.Name -Region $secret.Region
    if ($secretValue) {
        $secretsHashTable[$secret.Name] = $secretValue
    }
}

# Convert the hashtable to JSON
$secretsJson = $secretsHashTable | ConvertTo-Json -Depth 10

# Define the output file path
$outputFilePath = "C:\path\to\your\secrets.json"

# Save the JSON to a file
$secretsJson | Out-File -FilePath $outputFilePath -Encoding utf8

Write-Host "Secrets have been saved to $outputFilePath"

And that’s it! With this script, you can securely fetch secrets from AWS Secrets Manager and store them in a JSON file, ensuring that your applications have access to the necessary credentials without exposing sensitive information in your codebase.


Article Categories: # aws # powershell
Date Published: Aug 4, 2024

About

A tech blog by Andy P. I talk about coding, enterprise software development, tech, games design & other things that interest me.

Teambuilding & fitness

Our friends at Company Fitness League are building fun platform for getting fit with your colleagues!