Identify, arrange, and manage secrets easily using enhanced search in AWS Secrets Manager

AWS Secrets Manager now enables you to search secrets based on attributes such as secret name, description, tag keys, and tag values. With this launch, you can easily identify, arrange, and manage your secrets into logical groups that can then be used by specific applications, departments, or employees. For example, you can use the Secrets Manager console or the List Secrets API to quickly find all secrets used in the production environment and tagged Environment and Production. Similarly, you can find all database-related secrets by searching for secrets that include database in the name, description, tag key, or tag value.

Secrets Manager helps you protect secrets used to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. As your organization grows, you need to manage an increasing number of secrets to protect your IT resources. You can use tags or hierarchical names (for example, /Accounting/Analysts/UserCreds) to arrange these secrets into logical groups that are easy to manage. You can use the enhanced search to easily search through these groups to find specific secrets.

In this post, we walk you through:

Search criteria supported by this functionality in Secrets Manager.
Examples of how to use the search functionality.

Secret search criteria supported by Secrets Manager

This feature enables you to search across four attributes of secrets:

Name of the secret: Use this search to find subsets of secrets by secret names. This search is a prefix match and case sensitive.
Description of the secret: Use this search to identify secrets that contain the search values in the secret description. This search is not case sensitive.
Tag key: Use this search to easily locate secrets grouped by similar tag key. This is a prefix match and case sensitive search.
Tag value: Use this search to easily identify secrets by the tag values on the secret. This is also a prefix match and case sensitive search.

To get started with the search feature on the AWS Management Console, open the Secrets Manager Console and choose the search input box. As shown in the figure below, the search input box will display a drop-down list of the supported search attributes.

Figure 1: Secrets Manager search attributes

You can search secrets by specific attributes or search across a combination of attributes. You can also perform a blanket search without specifying any search attributes. The search result will include all secrets that contain the specified search value in either the secret name, description, tag key, or tag value. For example, searching secrets for will return any secret with secret name, tag key, tag value, or description that includes both secrets and for in the same field. As shown in the figure below, the search returned only the secret with the description Secrets for Accounting Analysts.

Note: Since AWS Secrets Manager is a regional service, the search will return matches for secrets that are stored in the selected region.

Figure 2: Console showing a blanket search

Using the Secret search functionality

Suppose your organization uses AWS Secrets Manager to store thousands of secrets owned by different applications, teams, and departments. All of these secrets are grouped by tag keys and tag values to associate them with the corresponding application, team, and department. For example, secrets owned by the accounting department could have a tag key Department and tag value Accounting, while secrets used by an ecommerce application could have a tag key AppId and tag value ecommerce. There are various ways that you can use the enhanced search functionality to easily search for and identify the secrets you need to work with.

Single attribute search

You can easily identify secrets by using a single search criterion. To demonstrate this, search for secrets that contain the word Conducts in the description. To do this, navigate to the Secrets Manager console, choose the search input, select Description from the drop-down list, type the word Conducts and press the Enter key. This will perform a non-case-sensitive search for secrets containing the word Conducts in the Description field and display the matching secrets on the console.

Figure 3: Secret description search

To identify all secrets that contain the word Conducts in the description field by using AWS CLI:

Run the List Secret command.
Apply the filter key DESCRIPTION.
Set Values to the word Conducts
Optionally, use --query to just return Name and Description

Shown in the following sample command:


aws secretsmanager list-secrets --filters '[{"Key":"description", "Values":["Conducts"]}]' --query "SecretList[*].{SecretName:Name,Description:Description}"

Output:


[
    {
        "Description": "Conducts an AWS SecretsManager rotation for RDS MySQL using single user rotation scheme", 
        "SecretName": "SecretsManager-rotation-lambda"
    }, 
    {
        "Description": "Conducts an AWS SecretsManager rotation for RDS MySQL using single user rotation scheme", 
        "SecretName": "SecretsManager-rotation-Developers"
    }
]

Multiple attributes search

You can also search for secrets by specifying multiple combinations of search criteria and search values. Demonstrate this by searching for secrets used by the accounting department, as shown below. To perform this search, look for secrets with the tag key Department and tag value Accounting. This multiple attribute search performs a case-sensitive prefix match for all secrets that have tag keys that start with Department and tag values that start with Accounting. This is treated like an AND logic search.

From the Secrets Manager console, select Tag key attribute and enter Department.
Select Tag value attribute, enter Accounting, and press the Enter key.

As shown in the figure below, the Secrets Manager console displays all the secrets that match both the tag key Department and tag value Accounting. To view the tags associated with the secret, choose the secret name.

Figure 4: Search results

Figure 5: Tag key and tag value search

The AWS CLI command to search secrets by tag key Department and tag value Accounting is shown below.
–


aws secretsmanager list-secrets --filters '[{"Key":"tag-key ", "Values":["Department"]},{"Key":"tag-value ", "Values":["Accounting"]}]' --query "SecretList[*].{SecretName:Name,Tags:Tags}"

Output:


{
    [
    {
        "Tags": [
            {
                "Value": "Accounting", 
                "Key": "Department"
            }
         ], 
        "SecretName": "/Accounting/Analysts/UserCreds"
    }, 
    {
        "Tags": [
            {
                "Value": "Accounting", 
                "Key": "Department"
            }
        ], 
        "SecretName": "/Accounting/Analysts/Database/AppCreds"
    }
]

Summary

In this post, we introduced the enhanced search functionality that enables you to easily identify a logical group of secrets, facilitating easier management, auditing, and monitoring of these secrets. We also showed you how to use the enhanced functionality through the AWS Secrets Manager console and AWS CLI to search for secrets using attributes and combinations of attributes, such as secret names, descriptions, tag keys, and tag values. To get started, visit Secrets Manager.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Secrets Manager forum or contact AWS Support.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.