A command-line tool that injects AWS Secrets Manager secrets as environment variables for your applications.
- Fetches secrets from AWS Secrets Manager
- Injects secrets as environment variables
- Supports JSON-formatted secrets
- Clean environment isolation
- Rust toolchain (stable)
- AWS credentials
- AWS Secrets Manager access
-
Clone and Build
git clone [repository-url] cd aws-secret-wrapper cargo build --release -
Configure AWS Credentials
Create a
config.yamlfile:aws_access_key: "YOUR_AWS_ACCESS_KEY" aws_secret_key: "YOUR_AWS_SECRET_KEY" aws_region: "us-east-1"
or copy the example file:
cp config.example.yaml config.yaml
Basic syntax:
aws-secret-wrapper --secret-id <SECRET_ID> -- <COMMAND> [ARGS...]support multiple secret ids with comma separated values:
aws-secret-wrapper --secret-id <SECRET_ID1>,<SECRET_ID2> -- <COMMAND> [ARGS...]support change region:
aws-secret-wrapper --secret-id <SECRET_ID> --region <REGION> -- <COMMAND> [ARGS...]support file read secret id:
assume your file have name secretIds
and the content like this. it will fetch line by line and injected to env
my-secret-id-1or
my-secret-id-1
my-secret-id-2aws-secret-wrapper --sf <FILENAME> -- <COMMAND> [ARGS...]-
Run a Node.js app
./target/release/aws-secret-wrapper --secret-id dev/myapp/secrets -- node app.js
-
Run with arguments
./target/release/aws-secret-wrapper --secret-id dev/myapp/secrets -- npm start --port 3000
-
Run Python script
./target/release/aws-secret-wrapper --secret-id dev/myapp/secrets -- python script.py arg1 arg2
-
Run with linux runtime
./target/release/aws-secret-wrapper --secret-id <SECRET_ID> -- printenv | grep YOUR_SECRET_KEY
-
Run with linux runtime and secret id file
./target/release/aws-secret-wrapper --sf <FILENAME> -- printenv | grep YOUR_SECRET_KEY
Your AWS Secrets Manager secret should be in JSON format:
{
"DB_PASSWORD": "mysecret123",
"API_KEY": "abc123xyz",
"DATABASE_URL": "postgresql://user:pass@localhost:5432/db"
}- The
--separator is required - Everything after
--is treated as the command to run - Never commit
config.yamlto version control - Secrets must be valid JSON objects
- Returns the wrapped command's exit code on success
- Returns 1 if:
- Secret retrieval fails
- Secret is not valid JSON
- Command execution fails
- Store AWS credentials securely
- Use appropriate IAM permissions
- Keep
config.yamlprivate - Use environment-specific secrets
# Build debug version
cargo build
# Run tests
cargo test
# Format code
cargo fmt
# Check for errors
cargo checkThere are two main ways to use this tool in Docker:
When using this tool as a GitHub Action, the binary will be automatically copied to your workspace. This means when you do COPY . . in your Dockerfile, the aws-secret-wrapper binary will already be in your build context.
Example workflow and Dockerfile usage:
- is not going to work github restriction if using
secrets.AWS_ACCESS_KEYshould useenv.XXXby this github is masking the value and safe to pass into action
# Your GitHub workflow
steps:
- uses: actions/[email protected]
- uses: ribonred/[email protected]
with:
aws_access_key: ${{ env.AWS_ACCESS_KEY }}
aws_secret_key: ${{ env.AWS_SECRET_KEY }}
aws_region: 'us-east-1'
- name: Build and push Docker image
run: |
docker build -t myapp .
docker push myappassuming your dockerfile is like this:
# Your application's Dockerfile
FROM python:3.9-slim
# Copy your application code including the aws-secret-wrapper binary
COPY . .
# The binary will be available in your application directory
# you can do as follow
ENTRYPOINT ["./aws-secret-wrapper", "--secret-id", "your-secret-id", "--"]
CMD ["python", "app.py"]MIT