How to change an AWS Secret with the Command Line

Change your secret in AWS in three simple steps with the command line. We explain it all in this article.

How to change an AWS Secret with the Command Line

Let's say that for a reason, you need to change a password in the AWS Secret manager from the command line. In some cases, you don't have access to the console for security purposes on the account that has the rights to change the password.

Looking at the AWS documentation can sometimes be tidious. Here is a simple explanation on how to change an AWS Secret with the command line.

TL;DR

# Step 1
aws secretsmanager list-secrets
# Step 2
aws secretsmanager get-secret-value --secret-id <secret_arn or name> | jq
# Step 3
aws secretsmanager update-secret --secret-id <secret_arn_or_name> --secret-string '{"name_of_the_secret": ""new_value"}'

Step 1 - List the Secrets

In order to update the secret you need to find its ID or its ARN. You can easily find it by typing:

aws secretsmanager list-secrets

This command will output all the secrets that are available in your account and give you its:

  • ARN
  • Name
  • KmsKeyId
  • LastChangedDate
  • LastAccessedDate
  • SecretVersionsToStages
{
  "SecretList": [
    {
      "ARN": "arn:aws:secretsmanager:eu-west-3:***:secret:***",
      "Name": "***",
      "KmsKeyId": "arn:aws:kms:eu-west-3:***:key/***",
      "LastChangedDate": "2020-08-06T12:27:03.372000+02:00",
      "LastAccessedDate": "2020-08-06T02:00:00+02:00",
      "SecretVersionsToStages": {
        "65239124-1688-4479-b29c-6112a4590163": [
          "AWSCURRENT"
        ]
      },
      "CreatedDate": "2020-05-05T19:21:32.160000+02:00"
    },

For the next step you need to get the ARN of the secret you need to change. You can either get the name or the ARN. The ARN just makes sure that you don't make a mistake especially if you secret name is close to another one.

Step 2 - Get the Password value

Now that you have the ARN, it is time to get its value. This is based on the assumption that you do not have it on hand. Secrets stored in the AWS secret managers are values that you do not store. Therefore, you might want to get it especially if the secret has multiple values.

aws secretsmanager get-secret-value --secret-id <secret_arn or name> | jq

We pipe the result into jq in order to get it well formated and easily readable. This command should ouput something like that:

{
  "ARN": "arn:aws:secretsmanager:eu-west-3:***:secret:***",
  "Name": "**",
  "VersionId": "849c556e-feed-484b-b253-fbc491c61618",
  "SecretString": "{\"name_of_the_secret\": \"secret_value"}",
  "VersionStages": [
    "AWSCURRENT"
  ],
  "CreatedDate": "2020-10-13T17:46:08.731000+02:00"
}

We are interested in the SecretString. We need to copy its value.

Step 3 - Update the Secret String

Now that we have the ARN/Name of the secret we want to change and its Secret String. We just need to make the changes into the SecretString and apply the new value.

This command should do what you need :

aws secretsmanager update-secret --secret-id <secret_arn_or_name> --secret-string '{"name_of_the_secret": ""new_value"}'


And here we are, with a few simple lines we managed to change the password without accessing the AWS console. This should be helpful for any user that wants to change the password automatically or for an Ops that doesn't have access to the AWS console in it current working environment.

I hope this has been useful. If you have any ideas on how to improve this, please feel free to share. And if you want to help others find answers to their questions, please feel free to join us here