How to use Boto3 to get the details of secrets from a specific location in AWS Secret Manager

AWS Secrets Manager allows you to securely store and manage sensitive information like API keys, database passwords, and tokens. Using the boto3 library in Python, you can retrieve metadata about secrets stored in specific locations.

Prerequisites

Before using boto3 with AWS Secrets Manager, ensure you have:

• AWS credentials configured (via AWS CLI, environment variables, or IAM roles)

• Boto3 library installed: pip install boto3

• Proper IAM permissions for secretsmanager:DescribeSecret

Approach

Follow these steps to get secret details from AWS Secrets Manager ?

• Step 1: Import boto3 and botocore exceptions to handle errors

• Step 2: Define the secret_stored_location (SecretId) parameter

• Step 3: Create a boto3 session with proper region configuration

• Step 4: Create a Secrets Manager client using secretsmanager

• Step 5: Call describe_secret() method with the SecretId

• Step 6: Handle exceptions for robust error management

Example

Here's how to retrieve secret metadata from AWS Secrets Manager ?

import boto3
from botocore.exceptions import ClientError

def get_secret_details(secret_stored_location):
    """
    Retrieve metadata for a specific secret from AWS Secrets Manager
    
    Args:
        secret_stored_location (str): The SecretId (name or ARN) of the secret
    
    Returns:
        dict: Secret metadata including ARN, name, and version information
    """
    session = boto3.session.Session()
    secrets_client = session.client('secretsmanager')
    
    try:
        response = secrets_client.describe_secret(SecretId=secret_stored_location)
        return response
    except ClientError as e:
        error_code = e.response['Error']['Code']
        if error_code == 'ResourceNotFoundException':
            raise Exception(f"Secret '{secret_stored_location}' not found")
        else:
            raise Exception(f"AWS client error: {e}")
    except Exception as e:
        raise Exception(f"Unexpected error in get_secret_details: {e}")

# Example usage
try:
    secret_details = get_secret_details('/secrets/aws')
    print("Secret ARN:", secret_details['ARN'])
    print("Secret Name:", secret_details['Name'])
    print("Last Changed:", secret_details['LastChangedDate'])
    print("Last Accessed:", secret_details.get('LastAccessedDate', 'N/A'))
except Exception as e:
    print(f"Error: {e}")

Output

Secret ARN: arn:aws:secretsmanager:us-east-1:***************:secret:/secrets/aws-wr1Aj6
Secret Name: /secrets/aws
Last Changed: 2021-04-03 17:06:57.601000+00:00
Last Accessed: 2021-04-03 05:30:00+00:00

Key Response Fields

The describe_secret() method returns several important fields ?

• ARN: The Amazon Resource Name of the secret

• Name: The user-friendly name of the secret

• LastChangedDate: When the secret was last modified

• LastAccessedDate: When the secret was last accessed

• VersionIdsToStages: Current and previous version information

Best Practices

• Always handle ResourceNotFoundException for missing secrets

• Use specific IAM permissions following the principle of least privilege

• Consider using environment variables for region configuration

• Implement proper logging for security auditing

Conclusion

Using boto3's describe_secret() method allows you to retrieve metadata about AWS Secrets Manager secrets. Always implement proper error handling and follow AWS security best practices when working with sensitive data.