aws_secretsmanager Function
Secrets can be read from the AWS Secrets Manager and used within your template as locals.
Note: Support for AWS secrets will always obtain the latest version of a secret, essentially AWSCURRENT. Support for previous versions of a secret is not supported.
aws_secretsmanager(name, key)
When key is not set (null
or empty: ""
) then aws_secretsmanager
returns
the first secret key stored in secret name
.
You can either use this function in a locals
block or directly inline where
you want to use the value.
locals { secret = aws_secretsmanager("my_secret", null)} source "null" "first-example" { communicator = "none"} build { name = "my-build-name" sources = ["null.first-example"] provisioner "shell-local" { environment_vars = ["TESTVAR=${build.PackerRunUUID}"] inline = ["echo my_secret is '${local.secret}'", "echo my_secret using an inline call is '${aws_secretsmanager("my_secret", null)}'."] }}
This will load the key stored behind my_secret
from aws secrets manager.
The retrieval of single key secrets or plaintext secrets can be obtained by specifying (null
or empty: ""
) as the key
.
When obtaining secrets that have multiple keys you can set key
to the specific key you would like
to fetch. For example, given the following secret with two keys if key
is set to "shell" aws_secretsmanager
will
return only its value.
{ "test": "kitchen", "shell": "powershell"}
locals { secret = aws_secretsmanager("multikey/secret", "shell")} source "null" "first-example" { communicator = "none"} build { name = "my-build-name" sources = ["null.first-example"] provisioner "shell-local" { environment_vars = ["TESTVAR=${build.PackerRunUUID}"] inline = ["echo my_secret is '${local.secret}'"] }}
This will load the value "powershell"
stored in the key "shell"
behind multikey/secret
.
In order to use this function you have to configure valid AWS credentials using one of the following methods: