
There are various instances where you would need to use credentials, tokens, API keys etc. to access certain services. For example, you would need to use your SQL server credentials to access certain DB for your application. But, storing those in the codebase as a plain text file is not the best idea. It is a security vulnerability. Anyone with access to your codebase would be able to read those secrets and get unauthorized access to your services and perform malicious actions. You could encrypt the secrets, and share the key external to your application as a config file to allow for decryption. But managing secrets like that can become complex quickly. AWS has a Secrets Manager that as the name suggests is a service that allows you to manage your secrets. In this article, I’ll talk about how to store a secret and retrieve it programmatically.
AWS Secrets Manager [1]
This service allows you to protect secrets needed to access your applications, services and IT resources. One can easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. The service is extensible to other types of secrets, including API keys and OAuth tokens. Moreover, you can control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises. The secrets can be replicated to other regions easily to support multi-region applications. Now we will look at the steps required to create a secret and retrieve it programmatically.
Step 1: Creating and storing the secret
You can use the AWS Secrets manager console or the AWS CLI for creating the secrets.
Secrets Manager Console
- Sign in to the console at: https://console.aws.amazon.com/secretsmanager/
- On the Secrets list page click on Store a new secret.

- On the Store a new secret page, select Other type of secret. (This type allows you to store key value pairs or plain text.) You can then specify the secrets as key value pairs on this page. Your key could for example be "username" and value "[email protected]"

- For Select the Encryption key, choose DefaultEncryptionKey. Secrets Manager always encrypts the secret when you select this option at no extra cost.
- Choose Next
- Under Secret name, type a name for the secret. It can be only alphanumeric and /_+=.@-. The example you can use: tutorial/firstkey. The hierarchy allows you to group your secrets and maintain them better. You can add a description, tags, here if you want.
- Press Next.
- Review the final details. Also, this page gives you very nice Sample codes for different languages that you can use directly in your application. You can get Python, Java, JavaV2, JavaScript, C#, Ruby and Go language snippets. Pretty neat! Press Store. And this creates a secret called tutorial/firstkey with testkey:testvalue pair as the secret in it.
Secrets Manager CLI
- Open a command prompt to run the AWS CLI. (Installing the AWS Command Line Interface)
- For creating the secret run the following command: $ aws secretsmanager create-secret –name tutorial/firstkey 2 –description "Basic Create Secret" –secret-string ‘{"testkey":"testvalue"}’
Step 2: Retrieving the secret from Secret Manager
Retrieving your secret in the AWS Secrets Manager console
- Log in to the secret manager console: https://console.aws.amazon.com/secretsmanager/
- On the Secrets list page, choose the secret you created.
- In the Secret value section, choose Retrieve secret value
- You can view the secret as key-value pairs, or as a JSON text structure.
Retrieving using AWS Secrets Manager CLI
- Open command prompt.
-
Enter the following command:
Retrieving using boto3 Python Code
You can also retrieve the secret using boto3 library. Your AWS CLI needs to be configured.
The function will give you following result:

Conclusion
To conclude, we looked at AWS Secrets Manager as a way for storing database credentials, API keys etc. We saw how to create a secret using the console as well as the AWS CLI. Finally we looked at how to get the key using the console, AWS CLI and boto3 Python library. I hope you enjoyed the article and learnt something useful. Thank you for reading. Follow me for more interesting articles.
References
[1] https://aws.amazon.com/secrets-manager/
[2] Quickstart – Boto3 Docs 1.17.96 documentation
[3] AWS Secrets Manager – Boto3 Docs 1.17.97 documentation
[4] Tutorial: Creating and retrieving a secret – AWS Secrets Manager