»aws_secretsmanager_key Function

Secrets can be read from the AWS Secrets Manager and used within your template as locals.

aws_secretsmanager(name, key)

When key is not set (null or empty: "") then aws_secretsmanager returns the first secret key stored in secret name.

You can either use this function in a locals block or directly inline where you want to use the value.

locals {
  secret = aws_secretsmanager("my_secret", null)
}

source "null" "first-example" {
  communicator = "none"
}

build {
  name = "my-build-name"
  sources = ["null.first-example"]

  provisioner "shell-local" {
    environment_vars = ["TESTVAR=${build.PackerRunUUID}"]
    inline = ["echo my_secret is '${local.secret}'",
              "echo my_secret using an inline call is '${aws_secretsmanager("my_secret", null)}'."]
  }
}

This will load the key stored behind my_secret from aws secrets manager.

The retrieval of single key secrets or plaintext secrets can be obtained by specifying (null or empty: "") as the key.

When obtaining secrets that have multiple keys you can set key to the specific key you would like to fetch. For example, given the following secret with two keys if key is set to "shell" aws_secretsmanager will return only its value.

{
    "test": "kitchen",
    "shell": "powershell"
}
locals {
  secret = aws_secretsmanager("multikey/secret", "shell")
}

source "null" "first-example" {
  communicator = "none"
}

build {
  name = "my-build-name"
  sources = ["null.first-example"]

  provisioner "shell-local" {
    environment_vars = ["TESTVAR=${build.PackerRunUUID}"]
    inline = ["echo my_secret is '${local.secret}'"]
  }
}

This will load the value "powershell" stored in the key "shell" behind multikey/secret.

In order to use this function you have to configure valid AWS credentials using one of the following methods: