Secrets Manager examples using AWS CLI
The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Secrets Manager.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use batch-get-secret-value
.
- AWS CLI
-
Example 1: To retrieve the secret value for a group of secrets listed by name
The following
batch-get-secret-value
example gets the secret value secrets for three secrets.aws secretsmanager batch-get-secret-value \ --secret-id-list
MySecret1
MySecret2
MySecret3
Output:
{ "SecretValues": [ { "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret1-a1b2c3", "Name": "MySecret1", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "SecretString": "{\"username\":\"diego_ramirez\",\"password\":\"EXAMPLE-PASSWORD\",\"engine\":\"mysql\",\"host\":\"secretsmanagertutorial.cluster.us-west-2.rds.amazonaws.com\",\"port\":3306,\"dbClusterIdentifier\":\"secretsmanagertutorial\"}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": "1523477145.729" }, { "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret2-a1b2c3", "Name": "MySecret2", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "SecretString": "{\"username\":\"akua_mansa\",\"password\":\"EXAMPLE-PASSWORD\"", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": "1673477781.275" }, { "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret3-a1b2c3", "Name": "MySecret3", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLEccccc", "SecretString": "{\"username\":\"jie_liu\",\"password\":\"EXAMPLE-PASSWORD\"", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": "1373477721.124" } ], "Errors": [] }
For more information, see Retrieve a group of secrets in a batch in the AWS Secrets Manager User Guide.
Example 2: To retrieve the secret value for a group of secrets selected by filter
The following
batch-get-secret-value
example gets the secret value secrets in your account that haveMySecret
in the name. Filtering by name is case sensitive.aws secretsmanager batch-get-secret-value \ --filters Key="name",Values="MySecret"
Output:
{ "SecretValues": [ { "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret1-a1b2c3", "Name": "MySecret1", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa", "SecretString": "{\"username\":\"diego_ramirez\",\"password\":\"EXAMPLE-PASSWORD\",\"engine\":\"mysql\",\"host\":\"secretsmanagertutorial.cluster.us-west-2.rds.amazonaws.com\",\"port\":3306,\"dbClusterIdentifier\":\"secretsmanagertutorial\"}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": "1523477145.729" }, { "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret2-a1b2c3", "Name": "MySecret2", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "SecretString": "{\"username\":\"akua_mansa\",\"password\":\"EXAMPLE-PASSWORD\"", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": "1673477781.275" }, { "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret3-a1b2c3", "Name": "MySecret3", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLEccccc", "SecretString": "{\"username\":\"jie_liu\",\"password\":\"EXAMPLE-PASSWORD\"", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": "1373477721.124" } ], "Errors": [] }
For more information, see Retrieve a group of secrets in a batch in the AWS Secrets Manager User Guide.
-
For API details, see BatchGetSecretValue
in AWS CLI Command Reference.
-
The following code example shows how to use cancel-rotate-secret
.
- AWS CLI
-
To turn off automatic rotation for a secret
The following
cancel-rotate-secret
example turns off automatic rotation for a secret. To resume rotation, callrotate-secret
.aws secretsmanager cancel-rotate-secret \ --secret-id
MyTestSecret
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Rotate a secret in the Secrets Manager User Guide.
-
For API details, see CancelRotateSecret
in AWS CLI Command Reference.
-
The following code example shows how to use create-secret
.
- AWS CLI
-
Example 1: To create a secret from credentials in a JSON file
The following
create-secret
example creates a secret from credentials in a file. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.aws secretsmanager create-secret \ --name
MyTestSecret
\ --secret-stringfile://mycreds.json
Contents of
mycreds.json
:{ "engine": "mysql", "username": "saanvis", "password": "EXAMPLE-PASSWORD", "host": "my-database-endpoint.us-west-2.rds.amazonaws.com", "dbname": "myDatabase", "port": "3306" }
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
For more information, see Create a secret in the Secrets Manager User Guide.
Example 2: To create a secret
The following
create-secret
example creates a secret with two key-value pairs. When you enter commands in a command shell, there is a risk of the command history being accessed or utilities having access to your command parameters. This is a concern if the command includes the value of a secret. For more information, see Mitigate the risks of using command-line tools to store secrets in the Secrets Manager User Guide.aws secretsmanager create-secret \ --name
MyTestSecret
\ --description"My test secret created with the CLI."
\ --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "VersionId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE" }
For more information, see Create a secret in the Secrets Manager User Guide.
-
For API details, see CreateSecret
in AWS CLI Command Reference.
-
The following code example shows how to use delete-resource-policy
.
- AWS CLI
-
To delete the resource-based policy attached to a secret
The following
delete-resource-policy
example deletes the resource-based policy attached to a secret.aws secretsmanager delete-resource-policy \ --secret-id
MyTestSecret
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Authentication and access control in the Secrets Manager User Guide.
-
For API details, see DeleteResourcePolicy
in AWS CLI Command Reference.
-
The following code example shows how to use delete-secret
.
- AWS CLI
-
Example 1: To delete a secret
The following
delete-secret
example deletes a secret. You can recover the secret withrestore-secret
until the date and time in theDeletionDate
response field. To delete a secret that is replicated to other regions, first remove its replicas withremove-regions-from-replication
, and then calldelete-secret
.aws secretsmanager delete-secret \ --secret-id
MyTestSecret
\ --recovery-window-in-days7
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "DeletionDate": 1524085349.095 }
For more information, see Delete a secret in the Secrets Manager User Guide.
Example 2: To delete a secret immediately
The following
delete-secret
example deletes a secret immediately without a recovery window. You can't recover this secret.aws secretsmanager delete-secret \ --secret-id
MyTestSecret
\ --force-delete-without-recoveryOutput:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "DeletionDate": 1508750180.309 }
For more information, see Delete a secret in the Secrets Manager User Guide.
-
For API details, see DeleteSecret
in AWS CLI Command Reference.
-
The following code example shows how to use describe-secret
.
- AWS CLI
-
To retrieve the details of a secret
The following
describe-secret
example shows the details of a secret.aws secretsmanager describe-secret \ --secret-id
MyTestSecret
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-Ca8JGt", "Name": "MyTestSecret", "Description": "My test secret", "KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE", "RotationEnabled": true, "RotationLambdaARN": "arn:aws:lambda:us-west-2:123456789012:function:MyTestRotationLambda", "RotationRules": { "AutomaticallyAfterDays": 2, "Duration": "2h", "ScheduleExpression": "cron(0 16 1,15 * ? *)" }, "LastRotatedDate": 1525747253.72, "LastChangedDate": 1523477145.729, "LastAccessedDate": 1524572133.25, "Tags": [ { "Key": "SecondTag", "Value": "AnotherValue" }, { "Key": "FirstTag", "Value": "SomeValue" } ], "VersionIdsToStages": { "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111": [ "AWSPREVIOUS" ], "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222": [ "AWSCURRENT" ], "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333": [ "AWSPENDING" ] }, "CreatedDate": 1521534252.66, "PrimaryRegion": "us-west-2", "ReplicationStatus": [ { "Region": "eu-west-3", "KmsKeyId": "alias/aws/secretsmanager", "Status": "InSync", "StatusMessage": "Replication succeeded" } ] }
For more information, see Secret in the Secrets Manager User Guide.
-
For API details, see DescribeSecret
in AWS CLI Command Reference.
-
The following code example shows how to use get-random-password
.
- AWS CLI
-
To generate a random password
The following
get-random-password
example generates a random password 20 characters long that includes at least one uppercase letter, lowercase letter, number, and punctuation.aws secretsmanager get-random-password \ --require-each-included-type \ --password-length
20
Output:
{ "RandomPassword": "EXAMPLE-PASSWORD" }
For more information, see Create and manage secrets in the Secrets Manager User Guide.
-
For API details, see GetRandomPassword
in AWS CLI Command Reference.
-
The following code example shows how to use get-resource-policy
.
- AWS CLI
-
To retrieve the resource-based policy attached to a secret
The following
get-resource-policy
example retrieves the resource-based policy attached to a secret.aws secretsmanager get-resource-policy \ --secret-id
MyTestSecret
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "ResourcePolicy": "{\n\"Version\":\"2012-10-17\",\n\"Statement\":[{\n\"Effect\":\"Allow\",\n \"Principal\":{\n\"AWS\":\"arn:aws:iam::123456789012:root\"\n},\n\"Action\": \"secretsmanager:GetSecretValue\",\n\"Resource\":\"*\"\n}]\n}" }
For more information, see Authentication and access control in the Secrets Manager User Guide.
-
For API details, see GetResourcePolicy
in AWS CLI Command Reference.
-
The following code example shows how to use get-secret-value
.
- AWS CLI
-
Example 1: To retrieve the encrypted secret value of a secret
The following
get-secret-value
example gets the current secret value.aws secretsmanager get-secret-value \ --secret-id
MyTestSecret
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "SecretString": "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": 1523477145.713 }
For more information, see Retrieve a secret in the Secrets Manager User Guide.
Example 2: To retrieve the previous secret value
The following
get-secret-value
example gets the previous secret value.:aws secretsmanager get-secret-value \ --secret-id
MyTestSecret
--version-stageAWSPREVIOUS
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "SecretString": "{\"user\":\"diegor\",\"password\":\"PREVIOUS-EXAMPLE-PASSWORD\"}", "VersionStages": [ "AWSPREVIOUS" ], "CreatedDate": 1523477145.713 }
For more information, see Retrieve a secret in the Secrets Manager User Guide.
-
For API details, see GetSecretValue
in AWS CLI Command Reference.
-
The following code example shows how to use list-secret-version-ids
.
- AWS CLI
-
To list all of the secret versions associated with a secret
The following
list-secret-version-ids
example gets a list of all of the versions of a secret.aws secretsmanager list-secret-version-ids \ --secret-id
MyTestSecret
Output:
{ "Versions": [ { "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "VersionStages": [ "AWSPREVIOUS" ], "LastAccessedDate": 1523477145.713, "CreatedDate": 1523477145.713 }, { "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "VersionStages": [ "AWSCURRENT" ], "LastAccessedDate": 1523477145.713, "CreatedDate": 1523486221.391 }, { "CreatedDate": 1.51197446236E9, "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333;" } ], "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Version in the Secrets Manager User Guide.
-
For API details, see ListSecretVersionIds
in AWS CLI Command Reference.
-
The following code example shows how to use list-secrets
.
- AWS CLI
-
Example 1: To list the secrets in your account
The following
list-secrets
example gets a list of the secrets in your account.aws secretsmanager list-secrets
Output:
{ "SecretList": [ { "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "LastChangedDate": 1523477145.729, "SecretVersionsToStages": { "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111": [ "AWSCURRENT" ] } }, { "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:AnotherSecret-d4e5f6", "Name": "AnotherSecret", "LastChangedDate": 1523482025.685, "SecretVersionsToStages": { "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222": [ "AWSCURRENT" ] } } ] }
For more information, see Find a secret in the Secrets Manager User Guide.
Example 2: To filter the list of secrets in your account
The following
list-secrets
example gets a list of the secrets in your account that haveTest
in the name. Filtering by name is case sensitive.aws secretsmanager list-secrets \ --filter Key="name",Values="Test"
Output:
{ "SecretList": [ { "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "LastChangedDate": 1523477145.729, "SecretVersionsToStages": { "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111": [ "AWSCURRENT" ] } } ] }
For more information, see Find a secret in the Secrets Manager User Guide.
Example 3: To list the secrets in your account managed by another service
The following
list-secrets
example returns the secrets in your account that are managed by Amazon RDS.aws secretsmanager list-secrets \ --filter Key="owning-service",Values="rds"
Output:
{ "SecretList": [ { "Name": "rds!cluster-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Tags": [ { "Value": "arn:aws:rds:us-west-2:123456789012:cluster:database-1", "Key": "aws:rds:primaryDBClusterArn" }, { "Value": "rds", "Key": "aws:secretsmanager:owningService" } ], "RotationRules": { "AutomaticallyAfterDays": 1 }, "LastChangedDate": 1673477781.275, "LastRotatedDate": 1673477781.26, "SecretVersionsToStages": { "a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa": [ "AWSPREVIOUS" ], "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb": [ "AWSCURRENT", "AWSPENDING" ] }, "OwningService": "rds", "RotationEnabled": true, "CreatedDate": 1673467300.7, "LastAccessedDate": 1673395200.0, "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:rds!cluster-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111-a1b2c3", "Description": "Secret associated with primary RDS DB cluster: arn:aws:rds:us-west-2:123456789012:cluster:database-1" } ] }
For more information, see Secrets managed by other services in the Secrets Manager User Guide.
-
For API details, see ListSecrets
in AWS CLI Command Reference.
-
The following code example shows how to use put-resource-policy
.
- AWS CLI
-
To add a resource-based policy to a secret
The following
put-resource-policy
example adds a permissions policy to a secret, checking first that the policy does not provide broad access to the secret. The policy is read from a file. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.aws secretsmanager put-resource-policy \ --secret-id
MyTestSecret
\ --resource-policyfile://mypolicy.json
\ --block-public-policyContents of
mypolicy.json
:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/MyRole" }, "Action": "secretsmanager:GetSecretValue", "Resource": "*" } ] }
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Attach a permissions policy to a secret in the Secrets Manager User Guide.
-
For API details, see PutResourcePolicy
in AWS CLI Command Reference.
-
The following code example shows how to use put-secret-value
.
- AWS CLI
-
Example 1: To store a new secret value in a secret
The following
put-secret-value
example creates a new version of a secret with two key-value pairs.aws secretsmanager put-secret-value \ --secret-id
MyTestSecret
\ --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-1a2b3c", "Name": "MyTestSecret", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "VersionStages": [ "AWSCURRENT" ] }
For more information, see Modify a secret in the Secrets Manager User Guide.
Example 2: To store a new secret value from credentials in a JSON file
The following
put-secret-value
example creates a new version of a secret from credentials in a file. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.aws secretsmanager put-secret-value \ --secret-id
MyTestSecret
\ --secret-stringfile://mycreds.json
Contents of
mycreds.json
:{ "engine": "mysql", "username": "saanvis", "password": "EXAMPLE-PASSWORD", "host": "my-database-endpoint.us-west-2.rds.amazonaws.com", "dbname": "myDatabase", "port": "3306" }
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "VersionStages": [ "AWSCURRENT" ] }
For more information, see Modify a secret in the Secrets Manager User Guide.
-
For API details, see PutSecretValue
in AWS CLI Command Reference.
-
The following code example shows how to use remove-regions-from-replication
.
- AWS CLI
-
To delete a replica secret
The following
remove-regions-from-replication
example deletes a replica secret in eu-west-3. To delete a primary secret that is replicated to other regions, first delete the replicas and then calldelete-secret
.aws secretsmanager remove-regions-from-replication \ --secret-id
MyTestSecret
\ --remove-replica-regionseu-west-3
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-1a2b3c", "ReplicationStatus": [] }
For more information, see Delete a replica secret in the Secrets Manager User Guide.
-
For API details, see RemoveRegionsFromReplication
in AWS CLI Command Reference.
-
The following code example shows how to use replicate-secret-to-regions
.
- AWS CLI
-
To replicate a secret to another region
The following
replicate-secret-to-regions
example replicates a secret to eu-west-3. The replica is encrypted with the AWS managed keyaws/secretsmanager
.aws secretsmanager replicate-secret-to-regions \ --secret-id
MyTestSecret
\ --add-replica-regionsRegion=eu-west-3
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-1a2b3c", "ReplicationStatus": [ { "Region": "eu-west-3", "KmsKeyId": "alias/aws/secretsmanager", "Status": "InProgress" } ] }
For more information, see Replicate a secret to another Region in the Secrets Manager User Guide.
-
For API details, see ReplicateSecretToRegions
in AWS CLI Command Reference.
-
The following code example shows how to use restore-secret
.
- AWS CLI
-
To restore a previously deleted secret
The following
restore-secret
example restores a secret that was previously scheduled for deletion.aws secretsmanager restore-secret \ --secret-id
MyTestSecret
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Delete a secret in the Secrets Manager User Guide.
-
For API details, see RestoreSecret
in AWS CLI Command Reference.
-
The following code example shows how to use rotate-secret
.
- AWS CLI
-
Example 1: To configure and start automatic rotation for a secret
The following
rotate-secret
example configures and starts automatic rotation for a secret. Secrets Manager rotates the secret once immediately, and then every eight hours in a two hour window. The output shows theVersionId
of the new secret version created by rotation.aws secretsmanager rotate-secret \ --secret-id
MyTestDatabaseSecret
\ --rotation-lambda-arnarn:aws:lambda:us-west-2:1234566789012:function:SecretsManagerTestRotationLambda
\ --rotation-rules "{\"ScheduleExpression\": \"cron(0 8/8 * * ? *)\", \"Duration\": \"2h\"}"Output:
{ "ARN": "aws:arn:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3", "Name": "MyTestDatabaseSecret", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
For more information, see Rotate secrets in the Secrets Manager User Guide.
Example 2: To configure and start automatic rotation on a rotation interval
The following
rotate-secret
example configures and starts automatic rotation for a secret. Secrets Manager rotates the secret once immediately, and then every 10 days. The output shows theVersionId
of the new secret version created by rotation.aws secretsmanager rotate-secret \ --secret-id
MyTestDatabaseSecret
\ --rotation-lambda-arnarn:aws:lambda:us-west-2:1234566789012:function:SecretsManagerTestRotationLambda
\ --rotation-rules "{\"ScheduleExpression\": \"rate(10 days)\"}"Output:
{ "ARN": "aws:arn:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3", "Name": "MyTestDatabaseSecret", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
For more information, see Rotate secrets in the Secrets Manager User Guide.
Example 3: To rotate a secret immediately
The following
rotate-secret
example starts an immediate rotation. The output shows theVersionId
of the new secret version created by rotation. The secret must already have rotation configured.aws secretsmanager rotate-secret \ --secret-id
MyTestDatabaseSecret
Output:
{ "ARN": "aws:arn:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3", "Name": "MyTestDatabaseSecret", "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
For more information, see Rotate secrets in the Secrets Manager User Guide.
-
For API details, see RotateSecret
in AWS CLI Command Reference.
-
The following code example shows how to use stop-replication-to-replica
.
- AWS CLI
-
To promote a replica secret to a primary
The following
stop-replication-to-replica
example removes the link between a replica secret to the primary. The replica secret is promoted to a primary secret in the replica region. You must callstop-replication-to-replica
from within the replica region.aws secretsmanager stop-replication-to-replica \ --secret-id
MyTestSecret
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3" }
For more information, see Promote a replica secret in the Secrets Manager User Guide.
-
For API details, see StopReplicationToReplica
in AWS CLI Command Reference.
-
The following code example shows how to use tag-resource
.
- AWS CLI
-
Example 1: To add a tag to a secret
The following example shows how to attach a tag with shorthand syntax.
aws secretsmanager tag-resource \ --secret-id
MyTestSecret
\ --tagsKey=FirstTag,Value=FirstValue
This command produces no output.
For more information, see Tag your secrets in the Secrets Manager User Guide.
Example 2: To add multiple tags to a secret
The following
tag-resource
example attaches two key-value tags to a secret.aws secretsmanager tag-resource \ --secret-id
MyTestSecret
\ --tags '[{"Key": "FirstTag", "Value": "FirstValue"}, {"Key": "SecondTag", "Value": "SecondValue"}]
'This command produces no output.
For more information, see Tag secrets in the Secrets Manager User Guide.
-
For API details, see TagResource
in AWS CLI Command Reference.
-
The following code example shows how to use untag-resource
.
- AWS CLI
-
To remove tags from a secret
The following
untag-resource
example removes two tags from a secret. For each tag, both key and value are removed.aws secretsmanager untag-resource \ --secret-id
MyTestSecret
\ --tag-keys '[ "FirstTag", "SecondTag"]
'This command produces no output.
For more information, see Tag secrets in the Secrets Manager User Guide.
-
For API details, see UntagResource
in AWS CLI Command Reference.
-
The following code example shows how to use update-secret-version-stage
.
- AWS CLI
-
Example 1: To revert a secret to the previous version
The following
update-secret-version-stage
example moves the AWSCURRENT staging label to the previous version of a secret, which reverts the secret to the previous version. To find the ID for the previous version, uselist-secret-version-ids
. For this example, the version with the AWSCURRENT label is a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 and the version with the AWSPREVIOUS label is a1b2c3d4-5678-90ab-cdef-EXAMPLE22222. In this example, you move the AWSCURRENT label from version 11111 to 22222. Because the AWSCURRENT label is removed from a version,update-secret-version-stage
automatically moves the AWSPREVIOUS label to that version (11111). The effect is that the AWSCURRENT and AWSPREVIOUS versions are swapped.aws secretsmanager update-secret-version-stage \ --secret-id
MyTestSecret
\ --version-stageAWSCURRENT
\ --move-to-version-ida1b2c3d4-5678-90ab-cdef-EXAMPLE22222
\ --remove-from-version-ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Version in the Secrets Manager User Guide.
Example 2: To add a staging label attached to a version of a secret
The following
update-secret-version-stage
example adds a staging label to a version of a secret. You can review the results by runninglist-secret-version-ids
and viewing theVersionStages
response field for the affected version.aws secretsmanager update-secret-version-stage \ --secret-id
MyTestSecret
\ --version-stageSTAGINGLABEL1
\ --move-to-version-idEXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Version in the Secrets Manager User Guide.
Example 3: To delete a staging label attached to a version of a secret
The following
update-secret-version-stage
example deletes a staging label that is attached to a version of a secret. You can review the results by runninglist-secret-version-ids
and viewing theVersionStages
response field for the affected version.aws secretsmanager update-secret-version-stage \ --secret-id
MyTestSecret
\ --version-stageSTAGINGLABEL1
\ --remove-from-version-ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Version in the Secrets Manager User Guide.
-
For API details, see UpdateSecretVersionStage
in AWS CLI Command Reference.
-
The following code example shows how to use update-secret
.
- AWS CLI
-
Example 1: To update the description of a secret
The following
update-secret
example updates the description of a secret.aws secretsmanager update-secret \ --secret-id
MyTestSecret
\ --description"This is a new description for the secret."
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Modify a secret in the Secrets Manager User Guide.
Example 2: To update the encryption key associated with a secret
The following
update-secret
example updates the KMS key used to encrypt the secret value. The KMS key must be in the same region as the secret.aws secretsmanager update-secret \ --secret-id
MyTestSecret
\ --kms-key-idarn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE
Output:
{ "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3", "Name": "MyTestSecret" }
For more information, see Modify a secret in the Secrets Manager User Guide.
-
For API details, see UpdateSecret
in AWS CLI Command Reference.
-
The following code example shows how to use validate-resource-policy
.
- AWS CLI
-
To validate a resource policy
The following
validate-resource-policy
example checks that a resource policy doesn't grant broad access to a secret. The policy is read from a file on disk. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.aws secretsmanager validate-resource-policy \ --resource-policy
file://mypolicy.json
Contents of
mypolicy.json
:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/MyRole" }, "Action": "secretsmanager:GetSecretValue", "Resource": "*" } ] }
Output:
{ "PolicyValidationPassed": true, "ValidationErrors": [] }
For more information, see Permissions reference for Secrets Manager in the Secrets Manager User Guide.
-
For API details, see ValidateResourcePolicy
in AWS CLI Command Reference.
-