How To Get An AWS Secrets Manager Secret ARN By Key

This past weekend, I was working on deploying a side project to AWS App Runner.

App Runner lets you specify environment variables from an AWS Secrets Manager secret by ARN, but it took me a while to figure out how to specify an ARN for JSON secrets.

For whatever reason, it was nearly impossible for me to find the format of a Secrets Manager ARN using Google or ChatGPT.

Here’s the format:

arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret-name>:<json-key>:<version-stage>:<version-id>

You can omit the version stage and the version ID, and it’ll always retrieve the AWSCURRENT version.

For example, if you can have a value like this:

{
    "username": "foo",
    "password": "bar"
}

You can retrieve just the password like this:

arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret-name>:password::

Master GitHub Actions with a Senior Infrastructure Engineer

As a senior staff infrastructure engineer, I share exclusive, behind-the-scenes insights that you won't find anywhere else. Get the strategies and techniques I've used to save companies $500k in CI costs and transform teams with GitOps best practices—delivered straight to your inbox.

Not sure yet? Check out the archive.

Unsubscribe at any time.