0
0
AWScloud~5 mins

Secrets Manager for credentials in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Storing passwords and keys directly in your app is risky. AWS Secrets Manager helps you keep these credentials safe and easy to update without changing your app code.
When you want to store database passwords securely and access them from your app.
When you need to rotate API keys automatically without downtime.
When multiple apps or services need to share the same secret safely.
When you want to avoid hardcoding sensitive info in configuration files.
When you want to audit who accessed your credentials and when.
Commands
This command creates a new secret named 'my-app-db-password' in AWS Secrets Manager with a username and password stored as a JSON string.
Terminal
aws secretsmanager create-secret --name my-app-db-password --secret-string "{\"username\":\"admin\",\"password\":\"S3cureP@ssw0rd\"}" --region us-east-1
Expected OutputExpected
{ "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app-db-password-abc123", "Name": "my-app-db-password", "VersionId": "EXAMPLE1-90ab-cdef-fedc-ba987SECRET1" }
--name - Sets the unique name for the secret.
--secret-string - Provides the secret data as a string.
--region - Specifies the AWS region to store the secret.
This command retrieves the stored secret value so your app or admin can use the credentials safely.
Terminal
aws secretsmanager get-secret-value --secret-id my-app-db-password --region us-east-1
Expected OutputExpected
{ "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app-db-password-abc123", "Name": "my-app-db-password", "VersionId": "EXAMPLE1-90ab-cdef-fedc-ba987SECRET1", "SecretString": "{\"username\":\"admin\",\"password\":\"S3cureP@ssw0rd\"}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": 1686000000.0 }
--secret-id - Specifies which secret to retrieve.
--region - Specifies the AWS region where the secret is stored.
This command updates the secret with a new password without changing the secret name or ARN.
Terminal
aws secretsmanager update-secret --secret-id my-app-db-password --secret-string "{\"username\":\"admin\",\"password\":\"N3wP@ssw0rd123\"}" --region us-east-1
Expected OutputExpected
{ "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app-db-password-abc123", "Name": "my-app-db-password", "VersionId": "EXAMPLE2-90ab-cdef-fedc-ba987SECRET2" }
--secret-id - Specifies which secret to update.
--secret-string - Provides the new secret data.
--region - Specifies the AWS region.
This command deletes the secret immediately without waiting for recovery, useful when the secret is no longer needed.
Terminal
aws secretsmanager delete-secret --secret-id my-app-db-password --region us-east-1 --force-delete-without-recovery
Expected OutputExpected
{ "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app-db-password-abc123", "Name": "my-app-db-password", "DeletionDate": 1686003600.0 }
--secret-id - Specifies which secret to delete.
--force-delete-without-recovery - Deletes the secret immediately without recovery window.
--region - Specifies the AWS region.
Key Concept

If you remember nothing else from this pattern, remember: AWS Secrets Manager lets you store and update sensitive credentials safely without hardcoding them in your app.

Common Mistakes
Trying to retrieve a secret without specifying the correct region.
AWS CLI will fail to find the secret if the region is wrong or missing.
Always include the --region flag with the region where your secret is stored.
Hardcoding secrets directly in application code instead of using Secrets Manager.
This exposes sensitive data and makes rotation difficult and risky.
Store secrets in Secrets Manager and retrieve them securely at runtime.
Deleting secrets without understanding the recovery window or using force delete unintentionally.
You may lose access to secrets permanently if deleted immediately by mistake.
Use the default recovery window unless you are sure you want to delete immediately with --force-delete-without-recovery.
Summary
Create secrets with aws secretsmanager create-secret to store credentials safely.
Retrieve secrets with aws secretsmanager get-secret-value when your app needs them.
Update secrets with aws secretsmanager update-secret to rotate passwords without downtime.
Delete secrets with aws secretsmanager delete-secret carefully, considering recovery options.