secret

Note

As of the Secrets Manager version 0.3.0, CLI syntax has been changed. The command to list projects, for example has changed from bws list projects to bws project list.

The old syntax will temporarily remain supported in the Secrets Manager CLI. If you are not sure what version of the Secrets Manager CLI you’re using, enter bws --version.

The secret command is used to access, manipulate, and create secrets. As with all commands, secrets and projects outside your access token’s scope of access cannot be read or written-to.

Subcommands

• create: create a new secret
• delete: delete one or more secrets
• edit: edit a secret
• get: retrieve a specific secret
• list: list the secrets a machine account has access to

For additional details regarding the commands available for secret, use: bws secret --help

secret create

Use bws secret create to create a new secret. This command requires a KEY, VALUE, and PROJECT_ID:

bws secret create <KEY> <VALUE> <PROJECT_ID>

Optionally, you can add a note using the --note <NOTE> option. For example:

bws secret create SES_KEY 0.982492bc-7f37-4475-9e60 f588b2f2-4780-4a78-be2a-b02d014d622f --note "API Key for AWS SES"

This command, by default, will return a JSON object and save the secret to Secrets Manager. You can alter the output format using the --output flag (learn more).

{
  "object": "secret",
  "id": "be8e0ad8-d545-4017-a55a-b02f014d4158",
  "organizationId": "10e8cbfa-7bd2-4361-bd6f-b02e013f9c41",
  "projectId": "e325ea69-a3ab-4dff-836f-b02e013fe530",
  "key": "SES_KEY",
  "value": "0.982492bc-7f37-4475-9e60",
  "note": "API Key for AWS SES",
  "creationDate": "2023-06-28T20:13:20.643567Z",
  "revisionDate": "2023-06-28T20:13:20.643567Z"
}

secret delete

Use bws secret delete to delete one or more secrets designated by the SECRET_IDS.

bws secret delete <SECRET_IDS>

To delete a single secret with the id be8e0ad8-d545-4017-a55a-b02f014d4158:

bws secret delete be8e0ad8-d545-4017-a55a-b02f014d4158

For multiple secrets where the ids are 382580ab-1368-4e85-bfa3-b02e01400c9f and 47201c5c-5653-4e14-9007-b02f015b2d82:

bws secret delete 382580ab-1368-4e85-bfa3-b02e01400c9f 47201c5c-5653-4e14-9007-b02f015b2d82

Output:

1 secret deleted successfully.

secret edit

To edit a secret, the following structure will apply changes to the chosen value. From the CLI this commands can edit the secret KEY, VALUE, NOTE, or PROJECT_ID.

bws secret edit <SECRET_ID> --key <KEY> --value <VALUE> --note <NOTE> --project-id <PROJECT_ID>

For example, if you wish to add a note to an existing secret:

bws secret edit be8e0ad8-d545-4017-a55a-b02f014d4158 --note "I am adding a note"

Note

Include quotation marks around the string when editing a NOTE containing spaces.

To edit multiple fields where SES_KEY2 is the new key and 0.1982492bc-7f37-4475-9e60 is the new value:

bws secret edit be8e0ad8-d545-4017-a55a-b02f014d4158 --key SES_KEY2 --value 0.1982492bc-7f37-4475-9e60

Output:

{
  "object": "secret",
  "id": "be8e0ad8-d545-4017-a55a-b02f014d4158",
  "organizationId": "10e8cbfa-7bd2-4361-bd6f-b02e013f9c41",
  "projectId": "e325ea69-a3ab-4dff-836f-b02e013fe530",
  "key": "SES_KEY2",
  "value": "0.1982492bc-7f37-4475-9e60",
  "note": "I am adding a note",
  "creationDate": "2023-06-28T20:13:20.643567Z",
  "revisionDate": "2023-06-28T20:45:37.46232Z"
}

secret get

Use bws secret get to retrieve a specific secret:

bws secret get <SECRET_ID>

By default, this command will retrieve the secret object with the SECRET_ID.

bws secret get be8e0ad8-d545-4017-a55a-b02f014d4158

By default, get will return objects as a JSON array, as shown in the following example. You can alter the output format using the --output flag (learn more).

{
  "object": "secret",
  "id": "be8e0ad8-d545-4017-a55a-b02f014d4158",
  "organizationId": "10e8cbfa-7bd2-4361-bd6f-b02e013f9c41",
  "projectId": "e325ea69-a3ab-4dff-836f-b02e013fe530",
  "key": "SES_KEY",
  "value": "0.982492bc-7f37-4475-9e60",
  "note": "",
  "creationDate": "2023-06-28T20:13:20.643567Z",
  "revisionDate": "2023-06-28T20:13:20.643567Z"
}

secret list

To list the secrets the machine account can access, use the following command:

bws secret list

You can also list only the secrets in a specific project by using the following command, where e325ea69-a3ab-4dff-836f-b02e013fe530 represents a project identifier:

bws secret list e325ea69-a3ab-4dff-836f-b02e013fe530

By default, list will return objects as a JSON array, as in the following example. You can alter the output format using the --output flag (learn more).

[
  {
    "object": "secret",
    "id": "382580ab-1368-4e85-bfa3-b02e01400c9f",
    "organizationId": "10e8cbfa-7bd2-4361-bd6f-b02e013f9c41",
    "projectId": "e325ea69-a3ab-4dff-836f-b02e013fe530",
    "key": "Repository 1",
    "value": "1234567ertthrjytkuy",
    "note": "Main Repo",
    "creationDate": "2023-06-27T19:25:15.822004Z",
    "revisionDate": "2023-06-27T19:25:15.822004Z"
  },
  {
    "object": "secret",
    "id": "be8e0ad8-d545-4017-a55a-b02f014d4158",
    "organizationId": "10e8cbfa-7bd2-4361-bd6f-b02e013f9c41",
    "projectId": "e325ea69-a3ab-4dff-836f-b02e013fe530",
    "key": "SES_KEY",
    "value": "0.982492bc-7f37-4475-9e60",
    "note": "",
    "creationDate": "2023-06-28T20:13:20.643567Z",
    "revisionDate": "2023-06-28T20:13:20.643567Z"
  }
]