Reputation: 1325
AWS Secret can't be converted into key names and value pairs
I have a python script that creates some access keys in AWS and stores them in secrets manager.
However, when I store the keys I get an error that says:
The secret value can't be converted to key name and value pairs
The secret is stored like this in secrets manager (obfuscated the secret key):
[{'Access Key': 'AKIA5AODVC64THTZNML7'}, {'Secret Key': 'SecretSecretsecretSecretSecretSecretSecr'}]
My script is using these lines to create the secret:
secret_name = 'my_secret'
secret_description = 'describing the secret'
kms_key_id = create_kms_key()
key_info = str([{"Access Key":access_key},{"Secret Key":secret_key}])
aws_secret = `secrets_client.create_secret(Name=secret_name,Description=secret_description,KmsKeyId=kms_key_id,SecretString=key_info,Tags=[{'Key': 'Name','Value': user_name}])`
How can I get the access / secret key into a format that secrets manager understands enough to convert to key / value pairs?
Upvotes: 7
Views: 18548
Answers (3)
Reputation: 5774
This Worked for me by adding json.dumps to send a json within the text values:
import json
secret_name = 'my_secret'
secret_description = 'describing the secret'
kms_key_id = create_kms_key()
key_info = str(json.dumps([{"Access Key":access_key},{"Secret Key":secret_key}]))
aws_secret = `secrets_client.create_secret(Name=secret_name,Description=secret_description,KmsKeyId=kms_key_id,SecretString=key_info,Tags=[{'Key': 'Name','Value': user_name}])`
Upvotes: 0
Reputation: 2240
First, you can store AWS Access Key and Secret Key in AWS Secret Manager, but I strongly not recommend that. But I can still offer a solution to easily do that:
- manually put your secret value in json or create one with
pysecret.
from pysecret import AWSSecret
aws_profile = "my_aws_profile"
aws = AWSSecret(profile_name=aws_profile)
secret_id = "my-example-secret"
secret_data = {
"iam_user_1": {
"access_key": "AAAAAAAAAAAAAAAAAAAAA",
"secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
},
"iam_user_2": {
"access_key": "BBBBBBBBBBBBBBBBBBBBB",
"secret_key": "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY"
}
}
aws.deploy_secret(name=secret_id, secret_data=secret_data) # or you can pass kms_key_id if you created a custom kms key
- read your secret value in lambda function or in any of your python code.
aws = AWSSecret(profile_name=aws_profile) # in lambda code, don't need ``profile_name=aws_profile``
access_key = aws.get_secret_value(secret_id="my-example-secret", key="iam_user_1.access_key") # AAAAAAAAAAAAAAAAAAAAA
secret_key = aws.get_secret_value(secret_id="my-example-secret", key="iam_user_1.secret_key") # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
access_key = aws.get_secret_value(secret_id="my-example-secret", key="iam_user_1.access_key") # BBBBBBBBBBBBBBBBBBBBB
secret_key = aws.get_secret_value(secret_id="my-example-secret", key="iam_user_1.secret_key") # YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
I created an open source library called pysecret, here's the documentation of AWS Secret Manager integration: https://github.com/MacHu-GWU/pysecret-project#aws-key-management-service-and-secret-manager-integration
Second
When ever you want to create an AWS Access Key pair, think of who is going to use it, Human or Machine. If it is Machine, please use IAM Role instead of IAM User. If it is Human, the Human should be responsible to securely store it, NOT AWS Secret Manager.
Hope this answers your question.
Upvotes: 3
Reputation: 326
First off, you should reconsider if you really need to store AWS access keys in Secrets Manager. How are you planning to get the credentials that will be used to make the call to Secrets Manager?
Look at using temporary role creds, for example - Don't use the creds you have to get another cred pair from SecretsManager. Use the creds you have to get temp creds instead.
On to your actual question, it looks like you are trying view the secret value in the console (since that is when the error "The secret value can't be converted to key name and value pairs" is shown). The python code snippet that you used to create the secret worked correctly. The error is shown when the console cannot parse the SecretString to key value pairs. This is expected behaviour, since your top level obj in the SecretString is an array.
If you click on the "Plaintext" tab right above the red error display box, you'll see the stored SecretString without any attempt at parsing into key value pairs.
Upvotes: 2
Related Questions
- Parsing secrets from AWS secrets manager using AWS cli
- How do you set key/value secret in AWS secrets manager using Ansible?
- AWS (ResourceNotFoundException) when calling the GetSecretValue operation: Secrets Manager can't find the specified secret
- Secrets Manage: Fail to rotate the secret, cannot invoke the specified Lambda function
- Running aws secretsmanager get-secret-value --secret-id $test_env_variable --query "SecretString" throws error. what I am doing wrong here
- The secret value can't be converted to key name and value pairs
- AWS CLI Secrets Manager Create Secret
- AWS secretsmanager error, unable to list the secrets with particular prefix
- Retrieve secrets from AWS Secrets Manager
- "Failed to fetch a list of secrets" on AWS Secrets Manager console?