Retrieve User Credentials from Secrets Manager

Retrieve User Credentials from Secrets Manager

This blog post will cover off how to programatically retrieve a set of User Credentials from AWS Secrets Manager. Using the Boto3 Python SDK we can easily connect to the Secrets Manager and retrieve the specified secrets.

Before beginning, ensure you have the following:

  • Access to AWS
  • Python 3 and Boto3 installed

Create the secret

As this will be a set of user credentials (service account, API, App registration etc), the type of secret will be “other types of secrets”. Firstly let’s go and create our secret within the console. Log into AWS, select your desired region (for this post I have chosen to use Lodon (eu-west-2)) and then go to the Secrets Manager service.

Create a new secret with the below settings:

Choose the default value for the encryption key and select next.

Disable automatic and click next. Then click Store to save the secret. This secret will now be visible within Secrets Manager.

Retrieve the secret

Now we have the secret we can use the Boto3 SDK to programmatically call Secrets Manager and retrieve it.

Firstly, we need to import Boto3 and create our Secrets Manager client.

Now we can call the Secrets Manager clients get_secret_value() method to retrieve our secret from AWS.

This returns us a nice dictionary object as seen below.

Showing the dict type of the secret response

As this is a dictionary we can take a look at the Keys within it using the builtin keys() method:

Showing the keys within the response

Now we can drill down into this dictionary and pull out the ‘SecretString’ key as that will provide us what we want.

Showing the secret within the SecretString key

Annoyingly, despite it looking like a nicely formatted dictionary it is just a string as shown by the above type. As it would be nice to have it as a serialised JSON object so we can easily pull out the parts we need we can quickly achieve this using the JSON library.

back at the top of your file go and import the json library by pasting this code

Now we have the library imported we can serialise this object using the json.loads() method like so:

Showing the serialising of the secret string

This is now much better. We have our secret nicely formatted in a dictionary and can pull back the keys for username and password as we wish.

Putting it together

Now we have the individual parts that we can use to retrieve the secret, we need to wrap these together in a repeatable definition that can be called from else where. For this we will:

  • Have the secret name and region as inputs
  • Return the serialised json object
  • Begin to consider basic error handling/ logic

This is the complete definition.

Join me in my next blog where I discuss placing this code into an AWS Lambda.


Leave a Reply

Your email address will not be published. Required fields are marked *