Skip to content
Latchkey

aws secretsmanager get-secret-value: Usage & CI Errors

Read a secret from AWS Secrets Manager - including JSON key/value secrets.

aws secretsmanager get-secret-value retrieves the value of a secret. Many secrets store JSON, so you typically pull the SecretString and parse out one key with jq in CI.

What it does

The command returns the secret’s SecretString (or SecretBinary), along with its ARN and version. For a single value, query SecretString directly; for a JSON secret (e.g. {"username":"...","password":"..."}), pipe SecretString through jq to extract one field.

Common usage

Terminal
# Read a plain string secret
aws secretsmanager get-secret-value --secret-id my-token \
  --query SecretString --output text

# Parse one key out of a JSON secret
aws secretsmanager get-secret-value --secret-id prod/db \
  --query SecretString --output text | jq -r '.password'

Common error in CI: AccessDeniedException / parsing the whole JSON as the value

You see "AccessDeniedException ... not authorized to perform: secretsmanager:GetSecretValue" when the role lacks access, or a downstream tool breaks because it received the entire {"key":"val"} JSON instead of one field. Fix: grant secretsmanager:GetSecretValue on the secret ARN (and kms:Decrypt if it uses a customer-managed key); always jq -r .field JSON secrets rather than passing SecretString raw. For an unexpected "ResourceNotFoundException", confirm the --secret-id name/ARN and region.

Key options

OptionPurpose
--secret-idSecret name or ARN
--query SecretStringExtract the secret payload
--version-stageAWSCURRENT (default) or AWSPREVIOUS
| jq -r .keyPull one field from a JSON secret

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →