Skip to content

Instantly share code, notes, and snippets.

@eddiecorrigall

eddiecorrigall/aws-secretsmanager-files-restore.bash

Last active January 19, 2023 04:28
Show Gist options
  • Save eddiecorrigall/f6dc846afc9839743de1c11d762aa68b to your computer and use it in GitHub Desktop.
Save eddiecorrigall/f6dc846afc9839743de1c11d762aa68b to your computer and use it in GitHub Desktop.
Download ZIP
AWS Secrets Manager store and restore files with pure bash
Raw
aws-secretsmanager-files-restore.bash
#!/bin/bash
set -e
# Example:
# SECRET_ARN='arn:aws:secretsmanager:ca-central-1:123456789012:secret:my-passbolt-secret-files-abc123' \
# ./restore.sh
export DELIMITER=','
if [ -z "$SECRET_ARN" ]; then
echo 'ERROR: missing environment variable!' > /dev/stderr
echo 'Provide SECRET_ARN' > /dev/stderr
exit 1
fi
export SECRET_CSV
SECRET_CSV="$(mktemp)"
echo "secret csv: $SECRET_CSV"
aws secretsmanager get-secret-value \
--no-cli-pager \
--query SecretBinary \
--output text \
--secret-id "$SECRET_ARN" \
| base64 --decode \
> "$SECRET_CSV"
while IFS="$DELIMITER" read -r SECRET_FILE SECRET_BASE64; do
echo "secret file: $SECRET_FILE"
echo "$SECRET_BASE64" | base64 --decode > "$SECRET_FILE"
done < "$SECRET_CSV"
Raw
aws-secretsmanager-files-store.bash
#!/bin/bash
set -e
# Example:
# $ SECRET_NAME=my-passbolt-secret-files ./store.sh <<FILES
# > passbolt.php
# > gpg/serverkey.asc
# > gpg/serverkey_private.asc
# > jwt/jwt.key
# > jwt/jwt.pem
# > FILES
export DELIMITER=','
export SECRET_CSV
SECRET_CSV="$(mktemp)"
echo "secret csv: $SECRET_CSV"
export SECRET_BASE64
while IFS= read -r SECRET_FILE; do
SECRET_BASE64="$(base64 < "$SECRET_FILE")"
echo "${SECRET_FILE}${DELIMITER}${SECRET_BASE64}" >> "$SECRET_CSV"
done
if [ -n "$SECRET_NAME" ]; then
aws secretsmanager create-secret \
--no-cli-pager \
--name "$SECRET_NAME" \
--secret-binary "fileb://${SECRET_CSV}"
elif [ -n "$SECRET_ARN" ]; then
aws secretsmanager update-secret \
--no-cli-pager \
--secret-id "$SECRET_ARN" \
--secret-binary "fileb://${SECRET_CSV}"
else
echo 'ERROR: missing environment variable!' > /dev/stderr
echo 'Provide SECRET_NAME (to create) or SECRET_ARN (to update)' > /dev/stderr
exit 1
fi
Raw
aws-secretsmanager-files.md

AWS Secrets Manager: File Store/Restore

When working with secrets manager, it is easy to create a JSON secret but in BASH it is diffuclt to parse JSON without jq.

This is a solution to store and restore one or more files as a AWS Secrets manager secret using a CSV, which is very easy for BASH to parse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment