{"id":19373579,"url":"https://github.com/aws-actions/aws-secretsmanager-get-secrets","last_synced_at":"2026-04-02T11:28:01.345Z","repository":{"id":60577141,"uuid":"541792993","full_name":"aws-actions/aws-secretsmanager-get-secrets","owner":"aws-actions","description":null,"archived":false,"fork":false,"pushed_at":"2025-05-05T05:02:10.000Z","size":5236,"stargazers_count":163,"open_issues_count":15,"forks_count":44,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-05-07T19:11:35.497Z","etag":null,"topics":["aws","aws-secrets-manager","github-actions","secret","secret-management"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit-0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aws-actions.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-09-26T21:35:00.000Z","updated_at":"2025-05-06T13:18:14.000Z","dependencies_parsed_at":"2024-03-12T16:52:49.409Z","dependency_job_id":"34680d6b-f740-4773-aba4-847bd0076dad","html_url":"https://github.com/aws-actions/aws-secretsmanager-get-secrets","commit_stats":{"total_commits":56,"total_committers":11,"mean_commits":5.090909090909091,"dds":0.6071428571428572,"last_synced_commit":"81a3105f17e322bb180492f7944162a9825c9574"},"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-actions%2Faws-secretsmanager-get-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-actions%2Faws-secretsmanager-get-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-actions%2Faws-secretsmanager-get-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-actions%2Faws-secretsmanager-get-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aws-actions","download_url":"https://codeload.github.com/aws-actions/aws-secretsmanager-get-secrets/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254509476,"owners_count":22082891,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-secrets-manager","github-actions","secret","secret-management"],"created_at":"2024-11-10T08:29:54.938Z","updated_at":"2026-04-02T11:28:01.339Z","avatar_url":"https://github.com/aws-actions.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Use AWS Secrets Manager secrets in GitHub jobs\n\nTo use a secret in a GitHub job, you can use a GitHub action to retrieve secrets from AWS Secrets Manager and add them as masked [Environment variables](https://docs.github.com/en/actions/learn-github-actions/environment-variables) in your GitHub workflow. For more information about GitHub Actions, see [Understanding GitHub Actions](https://docs.github.com/en/actions/learn-github-actions/understanding-github-actions) in the *GitHub Docs*.\n\nWhen you add a secret to your GitHub environment, it is available to all other steps in your GitHub job. Follow the guidance in [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) to help prevent secrets in your environment from being misused.\n\nYou can set the entire string in the secret value as the environment variable value, or if the string is JSON, you can parse the JSON to set individual environment variables for each JSON key-value pair. If the secret value is a binary, the action converts it to a string.\n\nTo view the environment variables created from your secrets, turn on debug logging. For more information, see [Enabling debug logging](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging) in the *GitHub Docs*.\n\nTo use the environment variables created from your secrets, see [Environment variables](https://docs.github.com/en/actions/learn-github-actions/environment-variables) in the *GitHub Docs*.\n\n### Prerequisites\n\nTo use this action, you first need to configure AWS credentials and set the AWS Region in your GitHub environment by using the `configure-aws-credentials` step. Follow the instructions in [Configure AWS Credentials Action For GitHub Actions](https://github.com/aws-actions/configure-aws-credentials) to **Assume role directly using GitHub OIDC provider**. This allows you to use short-lived credentials and avoid storing additional access keys outside of Secrets Manager.\n\nThe IAM role the action assumes must have the following permissions:\n+ `GetSecretValue` on the secrets you want to retrieve.\n+ `ListSecrets` on all secrets.\n+ \\(Optional\\) `Decrypt` on the KMS key if the secrets are encrypted with a customer managed key.\n\nFor more information, see [Authentication and access control for AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html).\n\n### Usage\n\nTo use the action, add a step to your workflow that uses the following syntax.\n\n```\n- name: Step name\n  uses: aws-actions/aws-secretsmanager-get-secrets@v2\n  with:\n    secret-ids: |\n      secretId1\n      ENV_VAR_NAME, secretId2\n    name-transformation: (Optional) uppercase|lowercase|none\n    parse-json-secrets: (Optional) true|false\n    auto-select-family-attempt-timeout: (Optional) positive integer\n```\nParameters\n\n- `secret-ids` Secret ARNS, names, and name prefixes. \n\nBy default, the step creates each environment variable name from the secret name, transformed to include only uppercase letters, numbers, and underscores, and so that it doesn't begin with a number.   \n\nTo set the environment variable name, enter it before the secret ID, followed by a comma. For example `ENV_VAR_1, secretId` creates an environment variable named **ENV\\_VAR\\_1** from the secret `secretId`. \n\nThe environment variable name can consist of uppercase letters, numbers, and underscores. \n\nTo use a prefix, enter at least three characters followed by an asterisk. For example `dev*` matches all secrets with a name beginning in **dev**. The maximum number of matching secrets that can be retrieved is 100. If you set the variable name, and the prefix matches multiple secrets, then the action fails.\n\n- `name-transformation`\n\nBy default, the step creates each environment variable name from the secret name, transformed to include only uppercase letters, numbers, and underscores, and so that it doesn't begin with a number. For the letters in the name, you can configure the step to use lowercase letters with `lowercase` or to not change the case of the letters with `none`. The default value is `uppercase`.\n\n- `parse-json-secrets`\n\n(Optional - default false) By default, the action sets the environment variable value to the entire JSON string in the secret value. \n\nSet `parse-json-secrets` to `true` to create environment variables for each key/value pair in the JSON.\n\nNote that if the JSON uses case-sensitive keys such as \"name\" and \"Name\", the action will have duplicate name conflicts. In this case, set `parse-json-secrets` to `false` and parse the JSON secret value separately. \n\n- `auto-select-family-attempt-timeout`\n\n(Optional - default 1000) Specifies the timeout (in milliseconds) for attempting to connect to the first IP address in a dual-stack DNS lookup. This setting is crucial especially when GitHub Action workers are geographically distant from the target region where the secrets are stored. The timeout must be greater than ot equal to 10 ms\n\nSet `auto-select-family-attempt-timeout` to any positive integer that is greater than or equal to 10 ms to set the timeout between each call to that value in milliseconds. \n### Environment variable naming\n\nThe environment variables created by the action are named the same as the secrets they come from. Environment variables have stricter naming requirements than secrets, so the action transforms secret names to meet those requirements. For example, the action transforms lowercase letters to uppercase letters. If you parse the JSON of the secret, then the environment variable name includes both the secret name and the JSON key name, for example `MYSECRET_KEYNAME`.\n\nIf two environment variables would end up with the same name, the action fails. In this case, you must specify the names you want to use for the environment variables as *aliases*.\n\nExamples of when the names might conflict:\n+ A secret named \"MySecret\" and a secret named \"mysecret\" would both become environment variables named \"MYSECRET\".\n+ A secret named \"Secret_keyname\" and a JSON-parsed secret named \"Secret\" with a key named \"keyname\" would both become environment variables named \"SECRET_KEYNAME\".\n\nYou can set the environment variable name by specifying an *alias*, as shown in the following example which creates a variable named `ENV_VAR_NAME`.\n\n```\nsecret-ids: |\n  ENV_VAR_NAME, secretId2\n```\n\n**Blank aliases**\n+ If you set `parse-json-secrets: true` and enter a blank alias, followed by a comma and then the secret ID, the action names the environment variable the same as the parsed JSON keys. The variable names do not include the secret name. \n\n  If the secret doesn't contain valid JSON, then the action creates one environment variable and names it the same as the secret name.\n+ If you set `parse-json-secrets: false` and enter a blank alias, followed by a comma and the secret ID, the action names the environment variables as if you did not specify an alias.\n\nThe following example shows a blank alias.\n\n```\n,secret2\n```\n\n### Examples\n\n**Example 1 Get secrets by name and by ARN**  \nThe following example creates environment variables for secrets identified by name and by ARN.  \n\n```\n- name: Get secrets by name and by ARN\n  uses: aws-actions/aws-secretsmanager-get-secrets@v2\n  with:\n    secret-ids: |\n      exampleSecretName\n      arn:aws:secretsmanager:us-east-2:123456789012:secret:test1-a1b2c3\n      0/test/secret\n      /prod/example/secret\n      SECRET_ALIAS_1,test/secret\n      SECRET_ALIAS_2,arn:aws:secretsmanager:us-east-2:123456789012:secret:test2-a1b2c3\n      ,secret2\n```\nEnvironment variables created:  \n\n```\nEXAMPLESECRETNAME: secretValue1\nTEST1: secretValue2\n_0_TEST_SECRET: secretValue3\n_PROD_EXAMPLE_SECRET: secretValue4\nSECRET_ALIAS_1: secretValue5\nSECRET_ALIAS_2: secretValue6\nSECRET2: secretValue7\n```\n\n**Example 2 Get all secrets that begin with a prefix**  \nThe following example creates environment variables for all secrets with names that begin with *beta*.  \n\n```\n- name: Get Secret Names by Prefix\n  uses: aws-actions/aws-secretsmanager-get-secrets@v2\n  with:\n    secret-ids: |\n      beta*    # Retrieves all secrets that start with 'beta'\n```\nEnvironment variables created:  \n\n```\nBETASECRETNAME: secretValue1\nBETATEST: secretValue2\nBETA_NEWSECRET: secretValue3\n```\n\n**Example 3 Parse JSON in secret**  \nThe following example creates environment variables by parsing the JSON in the secret.  \n\n```\n- name: Get Secrets by Name and by ARN\n  uses: aws-actions/aws-secretsmanager-get-secrets@v2\n  with:\n    secret-ids: |\n      test/secret\n      ,secret2\n    parse-json-secrets: true\n```\nThe secret `test/secret` has the following secret value.  \n\n```\n{\n  \"api_user\": \"user\",\n  \"api_key\": \"key\",\n  \"config\": {\n    \"active\": \"true\"\n  }\n}\n```\nThe secret `secret2` has the following secret value.  \n\n```\n{\n  \"myusername\": \"alejandro_rosalez\",\n  \"mypassword\": \"EXAMPLE_PASSWORD\"\n}\n```\nEnvironment variables created:  \n\n```\nTEST_SECRET_API_USER: \"user\"\nTEST_SECRET_API_KEY: \"key\"\nTEST_SECRET_CONFIG_ACTIVE: \"true\"\nMYUSERNAME: \"alejandro_rosalez\"\nMYPASSWORD: \"EXAMPLE_PASSWORD\"\n```\n\n**Example 4 Use lowercase letters for environment variable names**\nThe following example creates an environment variable with a lowercase name.\n\n```\n- name: Get secrets\n  uses: aws-actions/aws-secretsmanager-get-secrets@v2\n  with:\n    secret-ids: exampleSecretName\n    name-transformation: lowercase\n```\n\nEnvironment variable created:\n\n```\nexamplesecretname: secretValue\n```\n\n**Example 5 Setting the timeout to 2 seconds**\nThe following example sets the timeout between each call to be 2 seconds\n\n```\n- name: Get secrets with custom timeout\n  uses: aws-actions/aws-secretsmanager-get-secrets@v2\n  with:\n    secret-ids: |\n      test/secret\n      prod/secret\n    auto-select-family-attempt-timeout: 2000  # Sets timeout to 2 seconds between calls\n```\n\nEnvironment variables created:\n\n```\nTEST_SECRET: secretValue1\nPROD_SECRET: secretValue2\n```\n\n## Security\n\nSee [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.\n\n## License\n\nThis library is licensed under the MIT-0 License. See the LICENSE file.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-actions%2Faws-secretsmanager-get-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faws-actions%2Faws-secretsmanager-get-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-actions%2Faws-secretsmanager-get-secrets/lists"}