Type '/' to Search
Official
HCP Packer Ready
v1.1.0

Amazon Secrets Manager Data Source

The Secrets Manager data source provides information about a Secrets Manager secret version, including its secret value.

-> Note: Data sources is a feature exclusively available to HCL2 templates.

Basic examples of usage:

data "amazon-secretsmanager" "basic-example" {
  name = "packer_test_secret"
  key  = "packer_test_key"
  version_stage = "example"
}

# usage example of the data source output
locals {
  value         = data.amazon-secretsmanager.basic-example.value
  secret_string = data.amazon-secretsmanager.basic-example.secret_string
  version_id    = data.amazon-secretsmanager.basic-example.version_id
  secret_value  = jsondecode(data.amazon-secretsmanager.basic-example.secret_string)["packer_test_key"]
}
data "amazon-secretsmanager" "basic-example" {
  name = "packer_test_secret"
  key  = "packer_test_key"
  version_stage = "example"
}
 
# usage example of the data source output
locals {
  value         = data.amazon-secretsmanager.basic-example.value
  secret_string = data.amazon-secretsmanager.basic-example.secret_string
  version_id    = data.amazon-secretsmanager.basic-example.version_id
  secret_value  = jsondecode(data.amazon-secretsmanager.basic-example.secret_string)["packer_test_key"]
}

Reading key-value pairs from JSON back into a native Packer map can be accomplished with the jsondecode() function.

Configuration Reference

Required

  • name (string) - Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

Optional

  • key (string) - Optional key for JSON secrets that contain more than one value. When set, the value output will contain the value for the provided key.

  • version_id (string) - Specifies the unique identifier of the version of the secret that you want to retrieve. Overrides version_stage.

  • version_stage (string) - Specifies the secret version that you want to retrieve by the staging label attached to the version. Defaults to AWSCURRENT.

Output Data

  • value (string) - When a key is provided, this will be the value for that key. If a key is not provided, value will contain the first value found in the secret string.

  • secret_string (string) - The decrypted part of the protected secret information that was originally provided as a string.

  • secret_binary (string) - The decrypted part of the protected secret information that was originally provided as a binary. Base64 encoded.

  • version_id (string) - The unique identifier of this version of the secret.

Authentication

The Amazon Data Sources authentication works just like for the Amazon Builders. Both have the same authentication options, and you can refer to the Amazon Builders authentication to learn the options to authenticate for data sources.

-> Note: A data source will start and execute in your own authentication session. The authentication in the data source doesn't relate with the authentication on Amazon Builders.

Basic example of an Amazon data source authentication using assume_role:

data "amazon-secretsmanager" "basic-example" {
  name = "packer_test_secret"
  key  = "packer_test_key"

  assume_role {
      role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
      session_name = "SESSION_NAME"
      external_id  = "EXTERNAL_ID"
  }
}
data "amazon-secretsmanager" "basic-example" {
  name = "packer_test_secret"
  key  = "packer_test_key"
 
  assume_role {
      role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
      session_name = "SESSION_NAME"
      external_id  = "EXTERNAL_ID"
  }
}