Retrieving secrets - AWS Secrets Manager

Retrieving secrets

With Secrets Manager, you can programmatically and securely retrieve your secrets in your applications. You can also retrieve your secrets by using the console or the AWS CLI.

To retrieve a secret in the console, you must have these permissions:

  • secretsmanager:ListSecrets – Use to navigate to the secret to retrieve.

  • secretsmanager:DescribeSecret — Use to retrieve the non-encrypted parts of the secret.

  • secretsmanager:GetSecretValue – Use to retrieve the encrypted part of the secret.

  • kms:Decrypt – Required only if you used a custom AWS KMS customer master key (CMK) to encrypt your secret.

To retrieve a secret (console)

  1. Open the Secrets Manager console at

  2. On the Secrets page, choose your secret.

  3. On the Secret details page, in the Secret value section, choose Retrieve secret value.

  4. Do one of the following:

    • Choose Secret key/value to see the credentials as individual keys and values.

    • Choose Plaintext to see the JSON text string that Secrets Manager encrypts and stores.

Retrieving secrets programmatically

You can use the following commands to retrieve a secret stored in AWS Secrets Manager:

You identify the secret by the friendly name or ARN. You can include the version, but if you don't specify a version, Secrets Manager defaults to the version with the staging label AWSCURRENT. Secrets Manager returns the contents of the secret text in the response parameters PlaintextString. If you stored binary data in the secret, Secrets Manager also returns Plaintext, a byte array. Secrets Manager uses the last modified date for the CreatedDate output.

The following example shows how to decrypt and retrieve the encrypted secret information from the default version of the secret named "MyTestDatabase".

$ aws secretsmanager get-secret-value --secret-id development/MyTestDatabase { "ARN": "arn:aws:secretsmanager:region:accountid:secret:development/MyTestDatabase-AbCdEf", "Name": "development/MyTestDatabase", "VersionId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE", "SecretString": "{\"ServerName\":\"MyDBServer\",\"UserName\":\"Anaya\",\"Password\":\"MyT0pSecretP@ssw0rd\"}", "SecretVersionStages": [ "AWSCURRENT" ], "CreatedDate": 1510089380.309 }