Retrieve secrets from AWS Secrets Manager by version

Kasra Madadipouyaby Kasra MadadipouyaLast updated on
Retrieve secrets from AWS Secrets Manager by version

AWS provides Secrets Manager that allows storing and retrieving secrets, credentials, and versioning. In this article, we discuss how to retrieve secrets from AWS Secrets Manager by version using AWS CLI.

AWS Secrets Manager

As mentioned earlier, AWS Secrets Manager is a powerful tool to store secrets and credentials. One of its strong points is versioning. For any modification to a secret, AWS creates a new version and keeps the last version. This versatile feature allows you to retrieve the old secret easily, especially in case of misconfiguration.

Unfortunately, the default AWS Console doesn’t offer such a feature. Therefore, one must use either AWS CLI or SDK to code that. Here, we cover the former and leave the latter to you.

Retrieve Secrets by a version using AWS CLI

The step is to create a secret in the Secret Managers and configure your AWS CLI. If you are unfamiliar with that, read our getting started with the Secrets Manager article before continuing.

Once your AWS CLI is configured, you can try to retrieve a secret like this:

$ aws secretsmanager get-secret-value --secret-id [SECRET_ID]

To retrieve a secret by a specific version id, you need to retrieve the version id first. For that run,

{
    "Versions": [
        {
            "VersionId": "99ed332e-a013-11ee-8c90-0242ac120002",
            "VersionStages": [
                "AWSPREVIOUS"
            ],
            "LastAccessedDate": "2023-12-16T01:00:00+01:00",
            "CreatedDate": "2023-12-10T00:19:16.528000+01:00",
            "KmsKeyIds": [
                "DefaultEncryptionKey"
            ]
        },
        {
            "VersionId": "59c70e36-a014-11ee-8c90-0989ac123682",
            "VersionStages": [
                "AWSCURRENT"
            ],
            "LastAccessedDate": "2023-12-17T01:00:00+01:00",
            "CreatedDate": "2023-12-19T10:23:43.703000+01:00",
            "KmsKeyIds": [
                "DefaultEncryptionKey"
            ]
        }
    ],
    "ARN": "arn:aws:secretsmanager:eu-central-1:109834567290:secret:SECRET_ID-x69K1S",
    "Name": "SECRET_ID"
}

The latest version in effect is called AWSCURRENT, and the version before that is AWSPREVIOUS.

To retrieve the previous version, you have to copy the corresponding UUID in front of the VersionId field. Then run this command,

$ aws secretsmanager get-secret-value --secret-id [SECRET_ID] --version-id [VERSION_ID]

Alternatively, you can retrieve a secret by version programmatically. Our how-to retrieve database credentials from AWS Secrets Manager in a Spring Boot application should be a good starting place. Additionally, consult the AWS Secret Manager JDK manual.

Conclusion

In this article, we covered how to retrieve secrets from AWS Secrets Manager by version using AWS CLI. This feature is q practical in the case of disaster recovery when a secret is deleted or updated by mistake. Of course, one is not limited to AWS CLI and can retrieve a secret by version programmatically.

Inline/featured images credits

You might also like

Getting started with AWS Secret Manager

Getting started with AWS Secret Manager

Last updated on
Default featured post

My notes on AWS essentials course

Last updated on
AWS Lambda Java

Getting started with AWS Lambda and API gateway to building Rest APIs

Last updated on