Reputation: 19378
How to retrieve a secret in terraform from aws secret manager
I have a secret stored in secrets manager to which I have access to the arn. I want to retrieve the value from this arn and use it in terraform how can I achieve this?
I found this from terraform website
data "aws_secretsmanager_secret" "by-arn" {
arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456"
}
How do I then retrieve the value? Meaning what is the "get-value" equivalent in terraform for an EC2 isntance?
Upvotes: 45
Views: 87574
Answers (4)
Reputation: 507
Instead of hardcoding ARN or the AWS account ID
data "aws_secretsmanager_secret" "example_secret" {
name = "<secret_name>" # As stored in the AWS Secrets Manager
}
# Give a meaningful name to the version for easy identification
# If multiple secrets are present
data "aws_secretsmanager_secret_version" "example_latest_ver" {
secret_id = data.aws_secretsmanager_secret.example_secret.id
}
And, simply refer this in your code as data.aws_secretsmanager_secret_version.example_latest_ver.secret_string
To find out, the current AWS account ID, use ${data.aws_caller_identity.current.account_id}
Upvotes: 9
Reputation: 18743
Please note that Terraform 0.14 added the ability to redact Sensitive values in console output.
Therefore, if you are using Terraform > 0.14, you will have to use nonsensitive function to expose the actual secret value.
nonsensitive function takes a sensitive value and returns a copy of that value with the sensitive marking removed, thereby exposing the actual value.
data "aws_secretsmanager_secret" "secrets" {
arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my_secrety_name-123456"
}
data "aws_secretsmanager_secret_version" "current" {
secret_id = data.aws_secretsmanager_secret.secrets.id
}
output "sensitive_example_hash" {
value = jsondecode(nonsensitive(data.aws_secretsmanager_secret_version.current.secret_string))
}
Upvotes: 15
Reputation: 1493
Here is an example. By default, aws_secretsmanager_secret_version retrieves information based on the AWSCURRENT label (a.k.a. the latest version):
data "aws_secretsmanager_secret" "secrets" {
arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my_secrety_name-123456"
}
data "aws_secretsmanager_secret_version" "current" {
secret_id = data.aws_secretsmanager_secret.secrets.id
}
And use data.aws_secretsmanager_secret_version.current.secret_string to get the secret. If you want to retrieve a specific value inside that secret like DATABASE_URL you can use the built-in function jsondecode:
jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["DATABASE_URL"]
Upvotes: 78
Reputation: 152
aws_secretsmanager_secret is a AWS secretsmanager secret object, but a secret can have multiple versions, and the values are stored in the versions, not in the parent secret object.
So this is what you're looking for instead: https://www.terraform.io/docs/providers/aws/r/secretsmanager_secret_version.html (and it describes how to get the value of the secret version, ie. aws_secretsmanager_secret_version.example.secret_string).
Upvotes: 1
Related Questions
- Terraform and AWS secrets
- Terraform AWS secret manager valueFrom syntax
- Terraform picks up secrets value from AWS secrets manager in wrong format
- Module for AWS Secret Manager with value/key - Terraform
- How to securely allow access to AWS Secrets Manager with Terraform and cloud-init
- How can I insure that my retrieval of secrets is secure?
- How to convert the aws secret manager string to map in terraform (0.11.13)
- How to get private key from secret manager?
- Retrieve a secret in terraform from aws secret manager using workspaces
- Set aws access key and secret key with secretsmanager Terraform