How To Get An AWS Secrets Manager Secret ARN By Key

This past weekend, I was working on deploying a side project to AWS App Runner.

App Runner lets you specify environment variables from an AWS Secrets Manager secret by ARN, but it took me a while to figure out how to specify an ARN for JSON secrets.

For whatever reason, it was nearly impossible for me to find the format of a Secrets Manager ARN using Google or ChatGPT.

Here’s the format:

arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret-name>:<json-key>:<version-stage>:<version-id>

You can omit the version stage and the version ID, and it’ll always retrieve the AWSCURRENT version.

For example, if you can have a value like this:

{
    "username": "foo",
    "password": "bar"
}

You can retrieve just the password like this:

arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret-name>:password::

Like what you've read?

If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.

Not sure yet? Check out the archive.

Unsubscribe at any time.