.env file, then upload that file to Enkryptify with ek import.
AWS Secrets Manager has no separate environment concept. Each secret is one bundle of values, so you pick the environment by choosing the matching secret, for example my-app/production.
Prerequisites
- The Enkryptify CLI installed and signed in with
ek login - The AWS CLI v2 installed with
brew install awscli(check withaws --version) jqinstalled for JSON secrets withbrew install jq- An IAM principal with
secretsmanager:GetSecretValue(andkms:Decryptfor secrets encrypted with a customer-managed key)
Authenticate the AWS CLI
json output. Confirm it works:The region must match where the secret lives. A wrong region returns
ResourceNotFoundException even when the secret exists elsewhere.Export the secret into a .env file
For a secret stored as a JSON object of key/value pairs, convert it with If a value can contain newlines, wrap each value in quotes:If the secret is plaintext rather than JSON, skip
jq:jq and write it straight to the file:Notes
jqis required for JSON secrets and is not bundled with the AWS CLI. Running the JSON pipeline on a plaintext secret fails withCannot iterate over string.- Add
--region <region>or--profile <profile>to any command when they are not set in your config. - The exported file holds plaintext values, so keep it out of git and delete it after importing.