Retrieving specific keys from AWS Secrets Manager

Context

When deploying backend projects using AWS App Runner, securely managing production environment variables can be challenging. App Runner allows you to specify environment variables from an AWS Secrets Manager secret using its ARN (Amazon Resource Name). However, the correct format for JSON secrets isn't widely documented.

The Solution: Secrets Manager ARN Format

After extensive research, here's the complete ARN format for AWS Secrets Manager:

arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret-name>:<json-key>:<version-stage>:<version-id>

Notes

You can omit the version stage and version ID.
Omitting these will always retrieve the AWSCURRENT version.

Example Usage

Consider a secret with the following JSON structure:

{
  "username": "foo",
  "password": "bar"
}

To retrieve only the password value, use this ARN format:

arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret-name>:password::

This approach allows you to securely access specific keys within your JSON secrets when using AWS App Runner or other AWS services that support Secrets Manager integration.

Using AWS Secrets Manager to manage environment variables What is CIDR ?