aws secretsmanager get-secret-value: Usage & CI Errors
Read a secret from AWS Secrets Manager - including JSON key/value secrets.
aws secretsmanager get-secret-value retrieves the value of a secret. Many secrets store JSON, so you typically pull the SecretString and parse out one key with jq in CI.
What it does
The command returns the secret’s SecretString (or SecretBinary), along with its ARN and version. For a single value, query SecretString directly; for a JSON secret (e.g. {"username":"...","password":"..."}), pipe SecretString through jq to extract one field.
Common usage
# Read a plain string secret
aws secretsmanager get-secret-value --secret-id my-token \
--query SecretString --output text
# Parse one key out of a JSON secret
aws secretsmanager get-secret-value --secret-id prod/db \
--query SecretString --output text | jq -r '.password'Common error in CI: AccessDeniedException / parsing the whole JSON as the value
You see "AccessDeniedException ... not authorized to perform: secretsmanager:GetSecretValue" when the role lacks access, or a downstream tool breaks because it received the entire {"key":"val"} JSON instead of one field. Fix: grant secretsmanager:GetSecretValue on the secret ARN (and kms:Decrypt if it uses a customer-managed key); always jq -r .field JSON secrets rather than passing SecretString raw. For an unexpected "ResourceNotFoundException", confirm the --secret-id name/ARN and region.
Key options
| Option | Purpose |
|---|---|
| --secret-id | Secret name or ARN |
| --query SecretString | Extract the secret payload |
| --version-stage | AWSCURRENT (default) or AWSPREVIOUS |
| | jq -r .key | Pull one field from a JSON secret |