> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enkryptify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Import from AWS Secrets Manager

> Export an AWS Secrets Manager secret into a .env file then upload it with the Enkryptify CLI.

Use the AWS CLI to export a secret into a `.env` file, then upload that file to Enkryptify with `ek import`.

AWS Secrets Manager has no separate environment concept. Each secret is one bundle of values, so you pick the environment by choosing the matching secret, for example `my-app/production`.

## Prerequisites

* The [Enkryptify CLI](/cli/install) installed and signed in with `ek login`
* The AWS CLI v2 installed with `brew install awscli` (check with `aws --version`)
* `jq` installed for JSON secrets with `brew install jq`
* An IAM principal with `secretsmanager:GetSecretValue` (and `kms:Decrypt` for secrets encrypted with a customer-managed key)

<Steps>
  <Step title="Authenticate the AWS CLI">
    ```bash theme={"dark"}
    aws configure
    ```

    Enter your access key, secret key, default region and `json` output. Confirm it works:

    ```bash theme={"dark"}
    aws sts get-caller-identity
    ```

    <Note>
      The region must match where the secret lives. A wrong region returns `ResourceNotFoundException` even when the secret exists elsewhere.
    </Note>
  </Step>

  <Step title="Find your secret">
    ```bash theme={"dark"}
    aws secretsmanager list-secrets --query "SecretList[].Name" --output text
    ```
  </Step>

  <Step title="Export the secret into a .env file">
    For a secret stored as a JSON object of key/value pairs, convert it with `jq`:

    ```bash theme={"dark"}
    aws secretsmanager get-secret-value --secret-id <secret-id> --query SecretString --output text \
      | jq -r 'to_entries[] | "\(.key)=\(.value)"' > .env
    ```

    If a value can contain newlines, wrap each value in quotes:

    ```bash theme={"dark"}
    aws secretsmanager get-secret-value --secret-id <secret-id> --query SecretString --output text \
      | jq -r 'to_entries[] | "\(.key)=\"\(.value)\""' > .env
    ```

    If the secret is plaintext rather than JSON, skip `jq` and write it straight to the file:

    ```bash theme={"dark"}
    aws secretsmanager get-secret-value --secret-id <secret-id> --query SecretString --output text > .env
    ```
  </Step>

  <Step title="Import into Enkryptify">
    ```bash theme={"dark"}
    ek import .env
    ```

    Accept the prompt to delete the `.env` afterward so no plaintext copy is left on disk.
  </Step>
</Steps>

## Notes

* `jq` is required for JSON secrets and is not bundled with the AWS CLI. Running the JSON pipeline on a plaintext secret fails with `Cannot iterate over string`.
* Add `--region <region>` or `--profile <profile>` to any command when they are not set in your config.
* The exported file holds plaintext values, so keep it out of git and delete it after importing.

## Next steps

* [Import from Vercel](/import/vercel)
* [Import from 1Password](/import/1password)
* [CLI Quickstart](/cli/quickstart)
