Skip to content

Secrets Manager

Secrets Manager is a service provided by Amazon Web Services (AWS) that enables you to securely store, manage, and retrieve sensitive information such as passwords, API keys, and other credentials. Secrets Manager integrates seamlessly with AWS services, making it easier to manage secrets used by various applications and services. Secrets Manager supports automatic secret rotation, replacing long-term secrets with short-term ones to mitigate the risk of compromise without requiring application updates.

LocalStack allows you to use the Secrets Manager APIs in your local environment to manage, retrieve, and rotate secrets. The supported APIs are available on our API Coverage section, which provides information on the extent of Secrets Manager’s integration with LocalStack.

This guide is designed for users new to Secrets Manager and assumes basic knowledge of the AWS CLI and our awslocal wrapper script.

Start your LocalStack container using your preferred method. We will demonstrate how to create a secret, get the secret value, and rotate the secret using the AWS CLI.

Before your create a secret, create a file named secrets.json and add the following content:

Terminal window
touch secrets.json
cat > secrets.json << EOF
{
"username": "admin",
"password": "password"
}
EOF

You can now create a secret using the CreateSecret API. Execute the following command to create a secret named test-secret:

Terminal window
awslocal secretsmanager create-secret \
--name test-secret \
--description "LocalStack Secret" \
--secret-string file://secrets.json

Upon successful execution, the output will provide you with the ARN of the newly created secret. This identifier will be useful for further operations or integrations.

Output
{
"ARN": "arn:aws:secretsmanager:us-east-1:000000000000:secret:test-secret-pyfjVP",
"Name": "test-secret",
"VersionId": "a50c6752-3343-4eb0-acf3-35c74f00f707"
}

To retrieve the details of the secret you created earlier, you can use the DescribeSecret API. Execute the following command:

Terminal window
awslocal secretsmanager describe-secret \
--secret-id test-secret
Output
{
"ARN": "arn:aws:secretsmanager:us-east-1:000000000000:secret:test-secret-pyfjVP",
"Name": "test-secret",
"Description": "LocalStack Secret",
"LastChangedDate": 1692882479.857329,
"VersionIdsToStages": {
"a50c6752-3343-4eb0-acf3-35c74f00f707": [
"AWSCURRENT"
]
},
"CreatedDate": 1692882479.857329
}

You can also get a list of the secrets available in your local environment that have Secret in the name using the ListSecrets API. Execute the following command:

Terminal window
awslocal secretsmanager list-secrets \
--filters Key=name,Values=Secret

To retrieve the value of the secret you created earlier, you can use the GetSecretValue API. Execute the following command:

Terminal window
awslocal secretsmanager get-secret-value \
--secret-id test-secret
Output
{
"ARN": "arn:aws:secretsmanager:us-east-1:000000000000:secret:test-secret-pyfjVP",
"Name": "test-secret",
"VersionId": "a50c6752-3343-4eb0-acf3-35c74f00f707",
"SecretString": "{\n \"username\": \"admin\",\n \"password\": \"password\"\n}\n",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": 1692882479.857329
}

You can tag your secret using the TagResource API. Execute the following command:

Terminal window
awslocal secretsmanager tag-resource \
--secret-id test-secret \
--tags Key=Environment,Value=Development

To rotate a secret, you need a Lambda function that can rotate the secret. You can copy the code from a Secrets Manager template or you can use a generic Lambda function that rotates the secret.

Zip the Lambda function and create a Lambda function using the CreateFunction API. Execute the following command:

Terminal window
zip my-function.zip lambda_function.py
awslocal lambda create-function \
--function-name my-rotation-function \
--runtime python3.9 \
--zip-file fileb://my-function.zip \
--handler my-handler \
--role arn:aws:iam::000000000000:role/service-role/rotation-lambda-role

You can now set a resource policy on the Lambda function to allow Secrets Manager to invoke it using AddPermission API.

Please note that this is not required with the default LocalStack settings, since IAM permission enforcement is disabled by default.

Execute the following command:

Terminal window
awslocal lambda add-permission \
--function-name my-rotation-function \
--action lambda:InvokeFunction \
--statement-id SecretsManager \
--principal secretsmanager.amazonaws.com

You can now create a rotation schedule for the secret using the RotateSecret API. Execute the following command:

Terminal window
awslocal secretsmanager rotate-secret \
--secret-id MySecret \
--rotation-lambda-arn arn:aws:lambda:us-east-1:000000000000:function:my-rotation-function \
--rotation-rules "{\"ScheduleExpression\": \"cron(0 16 1,15 *?*)\", \"Duration\": \"2h\"}"

The LocalStack Web Application provides a Resource Browser for managing secrets in your local environment. You can access the Resource Browser by opening the LocalStack Web Application in your browser, navigating to the Resources section, and then clicking on Secrets Manager under the Security Identity Compliance section.

Secrets Manager Resource Browser

The Resource Browser allows you to perform the following actions:

  • Create Secret: Create a new secret by clicking Add a Secret and providing the required details, such as Name, Tags, Kms Key Id, Secret String, and more.
  • View Secrets: View the details of a secret by clicking on the secret name. You can also see the secret value by clicking on Display Secret.
  • Edit Secret: Edit the details of a secret by clicking on the secret name and then clicking Edit Secret and adding the new secret value.
  • Delete Secret: Delete a secret by clicking on the secret name and then clicking Actions and then Remove Selected.

The following code snippets and sample applications provide practical examples of how to use Secrets Manager in LocalStack for various use cases:

OperationImplementedImage
Page 1 of 0