Skip to main content

Command line tool for working with aws secrets manager

Project description


CirclecI Test Coverage Maintainability PyPI version License Command-line tool for working with aws secrets manager.


secretctl is a python package.

$ pip install secretctl


'secretctl' requires an authenticated AWS user with permissions to use the Secrets Manager, as resolved by boto3. The primary example being identity settings in ~/.aws/credentials. A recommended way to do this is using aws-vault, as in:

$ aws-vault exec prod -- secretctl ..


Creating and Updating Secrets

$ secretctl create <path/key> <value | ->

This command will write a secret into the Secret Managers. If - is provided as the value argument, the value will be read from standard input. A description can be added using the --description flag. Tags are added using the --tags flag and flag values in the tag=value format.

$ secretctl create <path/key> <value> --description <STRING> --tags <tag>=<value>, ..

If the path/key already exists, the process will fail. Use update to change the value of a secret.

$ cat <filename> | secretctl update myapp/dev/public-key -

Use secretctl tag and secretctl untag to add/remove/modify tags.

Reading Secrets

$ secretctl read myapp/dev/docker_login

   Path/Key                   Version   Value
   myapp/dev/docker_login     1         mydockerlogin

Use --quiet to return only the secret value.

Listing Secrets

$ secretctl list --path di/dev/

Path/Key                Description                             Tags
di/dev/docker_username  access credentials for private regis..  team=di, circleci-context=team-di
di/dev/docker_password  access credentials for private regis..  team=di, circleci-context=team-di
di/dev/vault_token      team vault token                        team=di, circleci-context=team-di
Found 3 secrets.

If no --path is provided, all secrets will be listed. Use the --tags to filter for secrets where tags or values match STRING.


$ secretctl export di/dev/


Example use in a deploy pipeline:

$ secretctl export di/dev/ > local.env
$ source local.env

export can export secrets in various file formats. The following file formats are supported:

  • tfvars (default)
  • json
  • csv

under development

sercretctl does not yet support: custom KMS key binary secret value type (unit testing) no moto support for testing descriptions or resource tags

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for secretctl, version 0.0.19
Filename, size File type Python version Upload date Hashes
Filename, size secretctl-0.0.19-py3-none-any.whl (10.2 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size secretctl-0.0.19.tar.gz (8.3 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page