How to normalize a private key stored on AWS secrets manager

amazon-web-services aws-cli aws-secrets-manager
Josh Beauregard picture Josh Beauregard · Oct 17, 2019 · Viewed 10.9k times · Source

EDIT: AS OF Feb 2020, AWS SEEMS TO have FIXED THIS BUG. THE BASE64ing and other wise is no longer needed.

I have my secret stored as a string but of course when aws stores the secret it removes white space and line breaks. On top of it it wraps the value in json.

When I run aws secretsmanager get-secret-value --secret-id my-private-key > private.pem it returns something like.

{
    "Name": "ai-data-devops-ansible-deploy-key",
    "VersionId": "fedafe24-d3eb-4964-9a8f-7f4ecb375a35",
    "SecretString": "-----BEGIN RSA PRIVATE KEY-----\nasdkmnasefkljzsdkffjsldkgfjlzkmsdflkNOTAREALKEYasddkjnsfdlzxdfvlkmdggo=\n-----END RSA PRIVATE KEY-----\n",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1568147513.11,
    "ARN": "arn:aws:secretsmanager:us-east-1:13726472r4:secret:my-private-key-XQuwafs"
}

So I need to:

  • Strip get the value out of json
  • Reformat the string to be more like
-----BEGIN RSA PRIVATE KEY-----
asdkmnasefkljzsdkffjsldkgfjlzkmsdflkNOTAREALKEYasddkjnsfdlzxdfvlkmdggo=
-----END RSA PRIVATE KEY-----

Answer

Jason Steele picture Jason Steele · Nov 7, 2019

Another option would be to base64 encode the PEM for storage:

Encode the key:

$ cat private_key 
-----BEGIN RSA PRIVATE KEY-----
asdkmnasefkljzsdkffjsldkgfjlzkmsdflkNOTAREALKEYasddkjnsfdlzxdfvlkmdggo=
-----END RSA PRIVATE KEY-----
$ base64 private_key > encoded_private_key

$ cat encoded_private_key
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQphc2RrbW5hc2Vma2xqenNka2ZmanNsZGtnZmpsemttc2RmbGtOT1RBUkVBTEtFWWFzZGRram5zZmRsenhkZnZsa21kZ2dvPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

Get the key back:

$ base64 -D encoded_private_key
-----BEGIN RSA PRIVATE KEY-----
asdkmnasefkljzsdkffjsldkgfjlzkmsdflkNOTAREALKEYasddkjnsfdlzxdfvlkmdggo=
-----END RSA PRIVATE KEY-----

Edit: Assuming the secret is base64 encoded, this would work:

Encode and push:

aws secretsmanager create-secret --name my-private-key --secret-string `base64 private.pem`

Pull and decode:

aws secretsmanager get-secret-value --secret-id my-private-key --query 'SecretString' --output text |base64 -D > private.pem

Doing the --query --output text thing might make it simpler to parse even if you don't want to base64 encode it as well.

Related questions

Parsing secrets from AWS secrets manager using AWS cli

I am retrieving secrets I have stored in AWS secrets manager with the AWS cli like this: aws secretsmanager get-secret-value --secret-id secrets Which returns arn:aws:secretsmanager<ID>:secret:my_secrets <number> my_secrets {"API_KEY":"…

Read More
AWS CLI S3 A client error (403) occurred when calling the HeadObject operation: Forbidden

I'm trying to setup a Amazon Linux AMI(ami-f0091d91) and have a script that runs a copy command to copy from a S3 bucket. aws --debug s3 cp s3://aws-codedeploy-us-west-2/latest/codedeploy-agent.noarch.rpm . This script works perfectly on …

Read More
How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?

I cd into the directory where all the pem/key files are and run the following: aws iam upload-server-certificate --server-certificate-name certificate_name --certificate-body file://webservercertificate.pem --private-key file://server.key --certificate-chain file://certificate_chain_file.pem I get the following …

Read More