Retrieve secrets from AWS Secrets Manager

With Secrets Manager, you can programmatically and securely retrieve your secrets in your applications. You can also retrieve your secrets by using the console or the AWS CLI.

To retrieve a secret in the console, you must have these permissions:

secretsmanager:ListSecrets – Use to navigate to the secret to retrieve.
secretsmanager:DescribeSecret — Use to retrieve the non-encrypted parts of the secret.
secretsmanager:GetSecretValue – Use to retrieve the encrypted part of the secret.
kms:Decrypt – Required only if you used a customer managed key instead of the AWS managed key (aws/secretsmanager) to encrypt your secret.

To retrieve a secret (console)

Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.
On the Secrets page, choose your secret.
On the Secret details page, in the Secret value section, choose Retrieve secret value.
Do one of the following:
- Choose Secret key/value to see the credentials as individual keys and values.
- Choose Plaintext to see the JSON text string that Secrets Manager encrypts and stores.

Retrieve secrets programmatically

You can use the following commands to retrieve a secret stored in AWS Secrets Manager:

API/SDK: GetSecretValue
- C++
- Java
- PHP
- Python
- Ruby
- Node.js
AWS CLI: get-secret-value

You identify the secret by the name or ARN. You can include the version, but if you don't specify a version, Secrets Manager defaults to the version with the staging label AWSCURRENT. Secrets Manager returns the contents of the secret text in the response parameters PlaintextString. If you stored binary data in the secret, Secrets Manager also returns Plaintext, a byte array. Secrets Manager uses the last modified date for the CreatedDate output.

The following example retrieves the current secret value for MyAwesomeAppSecret.


$ aws secretsmanager get-secret-value --secret-id MyAwesomeAppSecret


{
    "ARN": "arn:aws:secretsmanager:Region:AccountId:secret:MyAwesomeAppSecret-N4KUiT",
    "Name": "MyAwesomeAppSecret",
    "VersionId": "8f514297-c9e7-4d32-8d6c-b02590c3dff0",
    "SecretString": "{\"username\":\"saanvi\",\"password\":\"aDM4N3*!8TT\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": "2020-01-01T12:40:34.236000-07:00"
}

The following example retrieves the previous secret value for MyAwesomeAppSecret.


aws secretsmanager get-secret-value --secret-id MyAwesomeAppSecret --version-stage AWSPREVIOUS


{
    "ARN": "arn:aws:secretsmanager:Region:AccountId:secret:MyAwesomeAppSecret-N4KUiT",
    "Name": "MyAwesomeAppSecret",
    "VersionId": "6a317b3e-123c-4168-b391-99b180e15609",
    "SecretString": "{\"username\":\"saanvi\",\"password\":\"\"}",
    "VersionStages": [
        "AWSPREVIOUS"
    ],
    "CreatedDate": "2020-01-01T12:40:34.236000-07:00"
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Tag your secrets

Cache secrets to improve performance