Fetch & Store AWS Secrets Manager Secrets in JSON File
In this post, I’m going to describe how you can fetch secrets from AWS Secrets Manager and store them in a JSON file using PowerShell.
What is AWS Secrets Manager?
AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources without the upfront cost and complexity associated with managing your own hardware security module (HSM) infrastructure. You can rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Why Use PowerShell for Managing Secrets?
PowerShell is a powerful scripting language and automation framework commonly used by system administrators and developers. Using PowerShell to interact with AWS Secrets Manager allows you to automate the retrieval and management of secrets, ensuring that your applications always have access to the necessary credentials without hardcoding them into your codebase.
Setup
Before you start, ensure you have the following:
- AWS CLI configured with appropriate permissions.
- AWS PowerShell module installed.
To install the AWS PowerShell module, run the following command in PowerShell:
Install-Module -Name AWSPowerShell -Force
Fetching Secrets
Now we’re going to write a PowerShell script that fetches secrets from AWS Secrets Manager and stores them in a JSON file.
First, define the secrets you want to fetch. We’ll store these in an array for easy iteration.
$secrets = @(
@{ Name = "mySecret1"; Region = "us-west-2" },
@{ Name = "mySecret2"; Region = "us-east-1" }
)
Next, we create a function to fetch secrets from AWS Secrets Manager.
function Get-AWSSecret {
param (
[string]$SecretName,
[string]$Region
)
try {
$secretValue = Get-SECSecretValue -SecretId $SecretName -Region $Region
if ($secretValue.SecretString) {
return $secretValue.SecretString | ConvertFrom-Json
} else {
Write-Error "SecretString is empty for secret: $SecretName"
}
} catch {
Write-Error "Failed to fetch secret: $_"
}
}
Store Secrets in a Hashtable
We will iterate over the secrets array, fetch each secret, and store them in a hashtable.
$secretsHashTable = @{}
foreach ($secret in $secrets) {
$secretValue = Get-AWSSecret -SecretName $secret.Name -Region $secret.Region
if ($secretValue) {
$secretsHashTable[$secret.Name] = $secretValue
}
}
Convert to JSON and Save to File
Finally, convert the hashtable to JSON and save it to a file.
$secretsJson = $secretsHashTable | ConvertTo-Json -Depth 10
$outputFilePath = "C:\path\to\your\secrets.json"
$secretsJson | Out-File -FilePath $outputFilePath -Encoding utf8
Write-Host "Secrets have been saved to $outputFilePath"
Complete Script
Here is the complete script for fetching and storing secrets from AWS Secrets Manager.
# Load AWS PowerShell module
Import-Module AWSPowerShell
# Function to get secret from AWS Secrets Manager
function Get-AWSSecret {
param (
[string]$SecretName,
[string]$Region
)
try {
$secretValue = Get-SECSecretValue -SecretId $SecretName -Region $Region
if ($secretValue.SecretString) {
return $secretValue.SecretString | ConvertFrom-Json
} else {
Write-Error "SecretString is empty for secret: $SecretName"
}
} catch {
Write-Error "Failed to fetch secret: $_"
}
}
# Define the secrets you want to fetch
$secrets = @(
@{ Name = "mySecret1"; Region = "us-west-2" },
@{ Name = "mySecret2"; Region = "us-east-1" }
)
# Initialize an empty hashtable to store secrets
$secretsHashTable = @{}
# Fetch each secret and store in the hashtable
foreach ($secret in $secrets) {
$secretValue = Get-AWSSecret -SecretName $secret.Name -Region $secret.Region
if ($secretValue) {
$secretsHashTable[$secret.Name] = $secretValue
}
}
# Convert the hashtable to JSON
$secretsJson = $secretsHashTable | ConvertTo-Json -Depth 10
# Define the output file path
$outputFilePath = "C:\path\to\your\secrets.json"
# Save the JSON to a file
$secretsJson | Out-File -FilePath $outputFilePath -Encoding utf8
Write-Host "Secrets have been saved to $outputFilePath"
And that’s it! With this script, you can securely fetch secrets from AWS Secrets Manager and store them in a JSON file, ensuring that your applications have access to the necessary credentials without exposing sensitive information in your codebase.