Skip to content

tv2/npp-aws-sam-local-secrets-public

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
bin
bin
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
example.secrets.json
example.secrets.json
 
 

Repository files navigation

npp-aws-sam-local-secrets-public

🔐 Fetch secrets from AWS Secrets Manager and generate a .json file — to use with AWS SAM for local development.

✅ Prerequisites

Before running the script, make sure you have:

  • AWS CLI installed and configured with the correct --profile.
  • jq installed. Install it via Homebrew: 
    brew install jq

🚀 Usage

Run the script locally:

bash bin/fetch-secrets.sh <secrets.json> <output.json> [--region eu-central-1] [--profile tv2-cms-dev]

🔗 Run directly from GitHub

You can also run the script directly without cloning:

curl -sSL https://raw.githubusercontent.com/tv2/npp-aws-sam-local-secrets-public/main/bin/fetch-secrets.sh | bash -s -- <secrets.json> <output.json> [--region ...] [--profile ...]

Example:

# Fetch secrets and generate local.env.json from local.secrets.json
curl -sSL https://raw.githubusercontent.com/tv2/npp-aws-sam-local-secrets-public/main/bin/fetch-secrets.sh \
  | bash -s -- local.secrets.json local.env.json --region eu-central-1 --profile tv2-cms-dev

📂 Example secrets.json

See example.secrets.json for the expected format of the input file.

You can mix values fetched from AWS Secrets Manager with literal values that should be passed through unchanged:

{
  "MY_ENVIRONMENT_VAR": {
    "SecretArn": "arn:aws:secretsmanager:eu-central-1:1234567890:secret:my-secret",
    "Key": "password"
  },
  "MY_PARAMETERSTORE_VALUE": {
    "SecretArn": "/my/application/base-url"
  },
  "MY_NON_SECRET_ENVIRONMENT_VAR": {
    "Value": "my-non-secret-value"
  }
}

SecretArn is the preferred input key. SecretId is still accepted as a fallback for existing files.

Use Key only when the referenced AWS Secrets Manager secret contains a JSON object and you need a single field from it. For plain-string secrets and AWS Systems Manager Parameter Store values, omit Key and the fetched value will be used directly.

⚙️ Using with AWS SAM

To use the generated secrets with AWS SAM, pass the output file using --env-vars:

sam local start-api --env-vars local.env.json

🔒 Security tip

The generated secrets file (local.env.json) contains real secret values. Always add it to .gitignore so it’s never committed to Git! Example .gitignore:

# Local AWS secrets
local.env.json

✅ That’s it — happy secret fetching!

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages