AWS Secret to File Command Line Utility

Posted on 2025-04-14 Edited on 2025-04-16

Sometimes you need to retrieve data from AWS Secrets Manager, but extending your application to support it or installing the AWS CLI can be redundant or overly complicated. For these cases, I created a simple binary CLI tool.

Background

AWS Secrets Manager is a powerful service for handling sensitive objects. In this service, you can store not only database credentials but also key-value pairs, plaintext, and binary secrets. It is often very useful to manage sensitive data (such as JKS, TLS certificates and keys, or SSH keys) in Secrets Manager and deliver it to your workload on demand.

I love this use case, and to simplify and speed up the process, I created a very simple tool to retrieve plaintext or binary secrets and save them to a local file. I mostly use it in sidecars or init containers to bring required data to my workload.

How to Use It

To download a binary secret, simply run:

1	/bin/aws-secret-to-file --secret=/secret/name/here --output=./location/for/the/file --binary

The same approach works for plaintext secrets. You can retrieve a single secret:

1	/bin/aws-secret-to-file --secret=/secret/name/here --output=./location/for/the/file

Or retrieve multiple secrets:

1
2
3

/bin/aws-secret-to-file \
    --secret=/secret/name/here1 --output=./location/for/the/file1 \
    --secret=/secret/name/here2 --output=./location/for/the/file2

How to Get It

Pull the Docker image from GitHub.