CODEWITHSUNDEEP
amazon-web-services
maverickabhi
maverickabhi

Reputation: 305

get all secrets from AWS secret manager

AWS has secret manager which stores secrets. It has the API to get individual secret. I want to fetch all the secrets related to an account at once. Any way we can achieve this?

Upvotes: 2

Views: 5411

Answers (3)

Rohit kasyap
Rohit kasyap

Reputation: 61

I tried to list secrets names in my secrets manager using boto3 python: using list.secrets()

    secrets = secret_client.list_secrets()
    secrets_manager = (secrets['SecretList'])
    for secret in secrets_manager: 
        print ("{0}".format(secret['Name']))

The complete list was around 20, but the output was only around 5 secrets.

Updated the code to below, it worked:

secrets = secret_client.list_secrets()
secrets_manager = (secrets['SecretList'])
while "NextToken" in secrets:
    secrets = secret_client.list_secrets(NextToken=secrets["NextToken"])
    secrets_manager.extend(secrets['SecretList'])
for secret in secrets_manager: 
    print ("{0}".format(secret['Name']))

So basically, AWS secrets manager list.secrets() call paginates your output, so it is better to use 'NextToken' as mentioned in https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html#SecretsManager.Client.list_secrets

Upvotes: 1

Michael
Michael

Reputation: 1707

'The encrypted fields SecretString and SecretBinary are not included in the output' in ListSecrets.

If you're trying to fetch all secret values then options might include:

1) Scripting list-secrets and get-secret-value to fetch all secret values. This example will be slow since it's using serial requests.

#!/usr/bin/env python3

import json
import subprocess

secrets = json.loads(subprocess.getoutput("aws secretsmanager list-secrets"))
for secret in secrets.values():
    for s in secret:
        name = s.get('Name')
        data = json.loads(subprocess.getoutput("aws secretsmanager get-secret-value --secret-id {}".format(name)))
        value = data.get('SecretString')
        print("{}: {}".format(name, value))

2) Use a 3rd party tools such as Summon with its AWS Provider which accepts secrets.yml file and makes async calls to inject secrets into the environment of whatever command you're calling.

Upvotes: 0

Karl Laurentius Roos
Karl Laurentius Roos

Reputation: 4399

You can use the method ListSecrets to list all secret metadata excluding SecretString or SecretBinary.

Upvotes: 4

Related Questions