Retrieve secrets from AWS Secrets Manager
You can retrieve your secrets:
Secrets Manager generates a CloudTrail log entry when you retrieve a secret. For more information, see Log AWS Secrets Manager events with AWS CloudTrail.
In code
In applications, you can retrieve your secrets by calling GetSecretValue
or BatchGetSecretValue
in any of the AWS SDKs. For examples, see Get a secret value in the AWS SDK Code Examples Library. However, we recommend that you
cache your secret values by using client-side caching. Caching secrets improves speed and
reduces your costs.
-
For Java applications:
-
If you store database credentials in the secret, use the Secrets Manager SQL connection drivers to connect to a database using the credentials in the secret.
-
For other types of secrets, use the Secrets Manager Java-based caching component or call the SDK directly with
GetSecretValue
.
-
-
For Python applications, use the Secrets Manager Python-based caching component or call the SDK directly with
get_secret_value
or batch_get_secret_value
. -
For .NET applications, use the Secrets Manager .NET-based caching component or call the SDK directly with
GetSecretValue
orBatchGetSecretValue
. -
For Go applications, use the Secrets Manager Go-based caching component or call the SDK directly with
GetSecretValue
orBatchGetSecretValue
. -
For JavaScript applications, call the SDK directly with
getSecretValue
orbatchGetSecretValue
. -
For PHP applications, call the SDK directly with
GetSecretValue
orBatchGetSecretValue
. -
For Ruby applications, call the SDK directly with
get_secret_value
orbatch_get_secret_value
. -
For GitHub Actions, see Use AWS Secrets Manager secrets in GitHub jobs.
Within other systems and AWS services
You can also retrieve secrets within the following:
-
For AWS Batch, you can reference secrets in a job definition.
-
For AWS CloudFormation, you can create secrets and reference secrets in a CloudFormation stack.
-
For Amazon ECS, you can reference secrets in a container definition.
-
For Amazon EKS, you can use AWS Secrets and Configuration Provider (ASCP) to mount secrets as files in Amazon EKS.
-
For GitHub, you can use the Secrets Manager GitHub action to add secrets as environment variables in your GitHub jobs.
-
For AWS IoT Greengrass, you can reference secrets in a Greengrass group.
-
For AWS Lambda, you can reference secrets in a Lambda function.
-
For Parameter Store, you can reference secrets in a parameter.
AWS CLI
Example Retrieve the encrypted secret value of a secret
The following get-secret-value
example gets the current secret value.
aws secretsmanager get-secret-value \ --secret-id MyTestSecret
Example Retrieve the previous secret value
The following get-secret-value
example gets the previous secret value.
aws secretsmanager get-secret-value \ --secret-id MyTestSecret --version-stage AWSPREVIOUS
AWS console
To retrieve a secret (console)
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/
. In the list of secrets, choose the secret you want to retrieve.
In the Secret value section, choose Retrieve secret value.
Secrets Manager displays the current version (
AWSCURRENT
) of the secret. To see other versions of the secret, such asAWSPREVIOUS
or custom labeled versions, use the AWS CLI.