AWS Secrets Manager Provider
The AWS Secrets Manager provider integrates with AWS for centralized secret management.
Prerequisites
Section titled “Prerequisites”- AWS account with Secrets Manager access
- AWS credentials configured (CLI, environment variables, IAM roles, or SSO)
- Build with
--features awssm
Configuration
Section titled “Configuration”URI Format
Section titled “URI Format”awssm://[AWS_PROFILE@]REGIONREGION: AWS region (e.g.,us-east-1). If omitted, the SDK default region chain is used.AWS_PROFILE: Optional AWS profile from~/.aws/credentials. If omitted, the SDK default credential chain is used.
Examples
Section titled “Examples”# Set a secret (SDK default credentials)$ secretspec set DATABASE_URL --provider awssm://us-east-1
# Use a specific AWS profile$ secretspec check --provider awssm://production@us-east-1
# Get a secret$ secretspec get DATABASE_URL --provider awssm://us-east-1
# Run with secrets$ secretspec run --provider awssm://us-east-1 -- npm start
# Use SDK defaults for both profile and region$ secretspec set DATABASE_URL --provider awssmBasic Commands
Section titled “Basic Commands”# Set a secret$ secretspec set DATABASE_URL --provider awssm://us-east-1Enter value for DATABASE_URL: postgresql://localhost/mydb✓ Secret 'DATABASE_URL' saved to awssm (profile: default)
# Import from .env$ secretspec import dotenv://.envSecret Naming
Section titled “Secret Naming”Secrets are stored as: secretspec/{project}/{profile}/{key}
Example: secretspec/myapp/production/DATABASE_URL
Authentication
Section titled “Authentication”AWS Secrets Manager uses the standard AWS SDK credential chain:
- Environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) - Shared credentials file (
~/.aws/credentials) - AWS SSO (
aws sso login) - IAM roles (EC2 instance profiles, ECS task roles, Lambda execution roles)
Required IAM Permissions
Section titled “Required IAM Permissions”{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:secretspec/*" } ]}# Using environment variables$ export AWS_ACCESS_KEY_ID=AKIA...$ export AWS_SECRET_ACCESS_KEY=...$ export AWS_DEFAULT_REGION=us-east-1
# Run command$ secretspec run --provider awssm://us-east-1 -- deploy
# Or with IAM roles (no credentials needed)$ secretspec run --provider awssm://us-east-1 -- deploy