28

I am attempting to use Secrets Manager a Lambda function in AWS. Secrets a manager is used to store database credentials to Snowflake (username, password).

I managed to set up a secret in Secrets Manager which contains several key/value pairs (e.g. one for username, another for password).

Now I am trying to refer to these values in my Python function code. AWS documentation kindly provides the following snippet:

import boto3
import base64
from botocore.exceptions import ClientError


def get_secret():

    secret_name = "MY/SECRET/NAME"
    region_name = "us-west-2"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )

    # In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
    # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
    # We rethrow the exception by default.

    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
    except ClientError as e:
        if e.response['Error']['Code'] == 'DecryptionFailureException':
            # Secrets Manager can't decrypt the protected secret text using the provided KMS key.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InternalServiceErrorException':
            # An error occurred on the server side.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InvalidParameterException':
            # You provided an invalid value for a parameter.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InvalidRequestException':
            # You provided a parameter value that is not valid for the current state of the resource.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'ResourceNotFoundException':
            # We can't find the resource that you asked for.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
    else:
        # Decrypts secret using the associated KMS CMK.
        # Depending on whether the secret is a string or binary, one of these fields will be populated.
        if 'SecretString' in get_secret_value_response:
            secret = get_secret_value_response['SecretString']
        else:
            decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])

    # Your code goes here.

Later in my def lambda_handler(event, context) function, I have the following snippet to establish a connection to my database:

        conn = snowflake.connector.connect(
            user=USERNAME,
            password=PASSWORD,
            account=ACCOUNT,
            warehouse=WAREHOUSE,
            role=ROLE
            )

However, I am unable to figure out how to use the get_secret() function to return values for parameters like USERNAME or PASSWORD.

How can this be accomplished? Thank you for the help!

jeff
  • 361
  • 1
  • 5
  • 7

2 Answers2

27

update the last part of get_secret() to:

else:
        # Decrypts secret using the associated KMS CMK.
        # Depending on whether the secret is a string or binary, one of these fields will be populated.
        if 'SecretString' in get_secret_value_response:
            secret = get_secret_value_response['SecretString']
        else:
            secret = base64.b64decode(get_secret_value_response['SecretBinary'])

return json.loads(secret)  # returns the secret as dictionary

This will return a dictionary where you'll have the keys you specified in AWS Secret Manager console.

Ron Marcelino
  • 463
  • 3
  • 8
  • 2
    returning the secret as json helped me. +1, Thanks – Prashanth kumar Nov 11 '19 at 05:41
  • @Prashanthkumar Did you get dictionary just by adding the `return`? I am struggling to get my credentials. – django-unchained Apr 21 '20 at 14:05
  • 1
    @django-unchained, hope you got it covered already, but otherwise, I just enclosed the `base64.b64decode(get_secret_value_response['SecretBinary'])` inside `json.loads` when assinging it to variable "secret", after that I could access the credentials as `secret["username"]` `secret["password"]`, or whatever your variables are inside the secrets manager secret. – Prashanth kumar Apr 23 '20 at 17:14
  • can u provide your code ? im stuck in this situation for days – Denise Sep 23 '20 at 03:13
  • I am getting following error [ERROR] UnboundLocalError: local variable 'secret' referenced before assignment – Sarde Feb 01 '22 at 04:11
  • @Sarde Hello I am getting same error, do you manage to sort it out? thanks – gcj Nov 30 '22 at 11:07
15
  • Here is how i have used it using arn, following this bloc hope that helps you.
  • Worth checking what you have used to store and accordingly use one SecretString or SecretBinary
    secrets_client = boto3.client('secretsmanager')
    secret_arn = 'arn:aws:secretsmanager:eu-west-2:xxxxxxxxxxxx:secret:dashboard/auth_token'
    auth_token = secrets_client.get_secret_value(SecretId=secret_arn).get('SecretString')
  • boto3 docs
  • get_secret_value Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content.
  • Your lambda role should have the following permissions depending on what is used
    • secretsmanager:GetSecretValue
    • kms:Decrypt required only if you use a customer-managed AWS KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.
amittn
  • 2,249
  • 1
  • 12
  • 19