Home Whiteboard Practice Code Graphing Calculator Online Compilers Articles Tools
Tutorials Courses Jobs

How to use Boto3 to get the secret keys saved as plain text from AWS Secret Manager

AWS Boto3 Python Server Side Programming Programming

AWS Secrets Manager is a service that helps you protect secrets needed to access your applications. Boto3 is the AWS SDK for Python that allows you to interact with AWS services, including retrieving secrets stored as plain text.

Prerequisites

Before retrieving secrets, ensure you have:

  • AWS credentials configured (via AWS CLI, IAM roles, or environment variables)

  • Proper IAM permissions to access Secrets Manager

  • Boto3 library installed: pip install boto3

Step-by-Step Approach

  1. Step 1: Import boto3 and botocore exceptions to handle errors

  2. Step 2: Define the secret name or ARN where your secrets are stored

  3. Step 3: Create a boto3 session with the appropriate region

  4. Step 4: Create a Secrets Manager client

  5. Step 5: Call get_secret_value() with the secret identifier

  6. Step 6: Extract the plain text secret from the response

  7. Step 7: Handle exceptions appropriately

Complete Example

Here's a complete example to retrieve secrets from AWS Secrets Manager ?

import boto3
import json
from botocore.exceptions import ClientError

def get_secret_details(secret_name, region_name='us-east-1'):
    """
    Retrieve secret from AWS Secrets Manager
    
    Args:
        secret_name (str): Name or ARN of the secret
        region_name (str): AWS region where secret is stored
    
    Returns:
        dict: The secret value as a dictionary
    """
    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )
    
    try:
        response = client.get_secret_value(SecretId=secret_name)
        
        # Parse the secret string (usually JSON)
        secret = json.loads(response['SecretString'])
        return secret
        
    except ClientError as e:
        error_code = e.response['Error']['Code']
        if error_code == 'DecryptionFailureException':
            raise Exception("Secrets Manager can't decrypt the protected secret text")
        elif error_code == 'InternalServiceErrorException':
            raise Exception("An error occurred on the server side")
        elif error_code == 'InvalidParameterException':
            raise Exception("Invalid parameter provided")
        elif error_code == 'InvalidRequestException':
            raise Exception("Invalid request parameter")
        elif error_code == 'ResourceNotFoundException':
            raise Exception("The secret was not found")
        else:
            raise Exception(f"boto3 client error: {str(e)}")
    
    except Exception as e:
        raise Exception(f"Unexpected error in get_secret_details: {str(e)}")

# Example usage
try:
    secret_data = get_secret_details('my-database-secret')
    
    # Access individual secret values
    database_username = secret_data.get('username')
    database_password = secret_data.get('password')
    
    print(f"Username: {database_username}")
    print("Password: [REDACTED]")  # Never print actual passwords
    
except Exception as e:
    print(f"Error retrieving secret: {e}")

Handling Different Secret Types

AWS Secrets Manager can store different types of secrets ?

import boto3
import json
from botocore.exceptions import ClientError

def get_secret_value(secret_name, region_name='us-east-1'):
    client = boto3.client('secretsmanager', region_name=region_name)
    
    try:
        response = client.get_secret_value(SecretId=secret_name)
        
        # Check if secret is stored as SecretString or SecretBinary
        if 'SecretString' in response:
            secret = response['SecretString']
            
            # Try to parse as JSON
            try:
                return json.loads(secret)
            except json.JSONDecodeError:
                # Return as plain string if not JSON
                return secret
                
        else:
            # Handle binary secrets
            return response['SecretBinary']
            
    except ClientError as e:
        print(f"Error retrieving secret: {e}")
        return None

# Example: Get database credentials
db_secret = get_secret_value('prod/database/credentials')
if db_secret:
    print(f"Host: {db_secret.get('host')}")
    print(f"Username: {db_secret.get('username')}")

Best Practices

  • Security: Never log or print actual secret values in production

  • Error Handling: Handle specific AWS exceptions for better debugging

  • Caching: Consider caching secrets to reduce API calls

  • IAM Permissions: Follow principle of least privilege for secret access

  • Region: Specify the correct region where your secrets are stored

Common Error Scenarios

Error Cause Solution
ResourceNotFoundException Secret doesn't exist Verify secret name and region
AccessDeniedException Insufficient permissions Check IAM policies
DecryptionFailureException KMS key access issue Verify KMS permissions

Conclusion

Using Boto3 to retrieve secrets from AWS Secrets Manager provides a secure way to manage sensitive information. Always handle exceptions properly and follow security best practices when working with secrets in your applications.

Updated on: 2026-03-25T19:00:47+05:30

1K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements