The secretcli project provides a simple to use command line interface to the AWS Secrets Manager. It is capable of uploading or downloading the entire secret as well as working with individual fields.
This project is available on pypi and can be installed with pip.
pip3 install secretcli
New secrets are easy to initiate. This will create a new Secret in the AWS Secret Manager and store an empty javascript object as the first version.
$ secretcli init TestSecret
Additional Key/Value pairs can be added to the secret using a single command. Behind the scenes this downloads the existing database, updates it with the new key/value pair, and uploads it as the current version.
$ secretcli set TestSecret postgreshost 10.10.10.16
$ secretcli set TestSecret postgresuser postgres
$ secretcli set TestSecret postgrespassword super_secret_string
$ secretcli set TestSecret longstring "This is a string with spaces."
Retrieving values is just as simple. This can be useful when trying to use values in bash scripts.
$ secretcli get TestSecret postgreshost
10.10.10.16
$ secretcli get TestSecret postgresuser
postgres
$ secretcli get TestSecret postgrespassword
super_secret_string
Values can also be completely removed from the secret.
$ secretcli get TestSecret postgreshost
10.10.10.16
$ secretcli remove TestSecret postgreshost
$ secretcli get TestSecret postgreshost
To avoid passing the value directly into the console (potentially logging it in places like bash history) the -s
flag can be passed and the value can be passed in interactively without displaying it.
$ secretcli set TestSecret postgrespassword -s
Value:
Repeat for confirmation:
$ secretcli get TestSecret postgrespassword
super_secret_string
The entire Secret can be downloaded as a file. This command works regardless of the format of the file- Secrets that are not managed by secretcli
can be downloaded using this tool.
$ secretcli download TestSecret ./secret_configuration.json
The file can also be uploaded- but be careful, it will be uploaded exactly as is without any verification of the json formatting.
$ secretcli upload TestSecret ./secret_configuration.json
secretcli
stores data as a JSON Object in an attempt to be as interoperable as possible. Each key
passed to secretcli
is represented by a key
in the JSON Object.
When storing in AWS Secret Manager secretcli
uses the SecretString
field in the AWS Secrets Manager. This allows the database to be viewed in the AWS Console both as a raw string and using the Key/Value table.