»Amazon Secrets Manager Data Source

The Secrets Manager data source provides information about a Secrets Manager secret version, including its secret value.

Basic examples of usage:

data "amazon-secretsmanager" "basic-example" {
  name = "packer_test_secret"
  key  = "packer_test_key"
  version_stage = "example"

# usage example of the data source output
locals {
  value         =
  secret_string =
  version_id    =
  secret_value  = jsondecode(["packer_test_key"]

Reading key-value pairs from JSON back into a native Packer map can be accomplished with the jsondecode() function.

»Configuration Reference


  • name (string) - Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.


  • key (string) - Optional key for JSON secrets that contain more than one value. When set, the value output will contain the value for the provided key.

  • version_id (string) - Specifies the unique identifier of the version of the secret that you want to retrieve. Overrides version_stage.

  • version_stage (string) - Specifies the secret version that you want to retrieve by the staging label attached to the version. Defaults to AWSCURRENT.

»Output Data

  • value (string) - When a key is provided, this will be the value for that key. If a key is not provided, value will contain the first value found in the secret string.

  • secret_string (string) - The decrypted part of the protected secret information that was originally provided as a string.

  • secret_binary (string) - The decrypted part of the protected secret information that was originally provided as a binary. Base64 encoded.

  • version_id (string) - The unique identifier of this version of the secret.


The Amazon Data Sources authentication works just like for the Amazon Builders. Both have the same authentication options, and you can refer to the Amazon Builders authentication to learn the options to authenticate for data sources.

Basic example of an Amazon data source authentication using assume_role:

data "amazon-secretsmanager" "basic-example" {
  name = "packer_test_secret"
  key  = "packer_test_key"

  assume_role {
      role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
      session_name = "SESSION_NAME"
      external_id  = "EXTERNAL_ID"