AWS Secrets Vault
Use AWS Secrets Manager secrets as vaults for multiple secrets.
Published Mar 10, 2025
AWS Secrets Manager is a great service to keep sensitive keys and credentials secure. The secrets can then integrate easily with other services and resources in an AWS account, and are encrypted using Key Management Service (KMS). Users can store secrets as pure strings, key-value pair objects, or binary data. This allows for an interesting way to save multiple secrets in a single Secrets Manager resource, reducing the amount of storage and API calls by applications.
The aws_secrets_vault Python3 module is one of the ways users can manage secrets in this way, along with corresponding KMS keys. It wraps around several AWS Boto3 calls to make the process easier, utilizing the aws_authenticator module to authenticate to AWS accounts using named profiles, IAM access key credentials, or Single Sign-On (SSO).
The module can be installed using the pip command.
Once installed, it provides several functions to manage secrets and encryption keys, namely:
- get_caller_identity
- list_kms_keys
- create_kms_key
- delete_kms_key
- create_secrets_vault
- list_secrets_vaults
- check_secrets_vault
- get_secrets_vault
- update_secrets_vault
- delete_secrets_vault
- create_secrets_dictionary
- create_secrets_vault_arn
Basically, you can view secrets in existing vaults, create new ones, use existing keys to encrypt and decrypt secrets, or create new keys. For instance, to use the module to view secrets, you will first need to set your account access credentials. In this example, we are using IAM access key credentials in our environment variables.
Then, you can use the following code in Python3.
which will give you an output similar to the following, depending on the contents of your vault.
For a more comprehensive demo, you can use the interactive script in the module's main function, which also uses access key credentials for default authentication.
If you choose to view a vault, it will show you the contents in the following format.
To use a secret value in an application such as a Lambda function or a script running in an EC2 instance, you can call the value directly without listing the entire vault contents. Modifying from above:
The Python dictionary secrets can be reused in multiple places and passed on to other applications and APIs. As a consequence, you don't need to make extra calls to the Secrets Manager, reducing some costs in the process. Storing secrets as key-value pair objects can also help since you are using only one secret resource instead of several for multiple secrets.
The procedure outlined here is just one of several ways to manage and use sensitive data in AWS applications with AWS Secrets Manager. However you choose to do it, having a centralized vault for your applications and a way to simplify its usage can help to reduce the risk of unwanted secrets exposure. Limiting access to the secrets vault and the encryption / decryption key to necessary applications only will help even further.