I have tried to write a script that updates AWS secrets. Yes, the update-secret command already does this, but that will overwrite existing secrets instead of merging them w/ the new content.
For example, suppose my-environment/my-application/secrets has the following content:
{ "db_1_pwd": "secret"}
If I run my script, like this:
>> update_secret my-environment/my-application/secrets '{"db_2_pwd": "secreter"}'
I would expect the new content to be:
{ "db_1_pwd": "secret", "db_2_pwd": "secreter"}
Instead, the new content winds up being this (unescaped) string:
"{\"db_1_pwd\":\"secret\",\"db_2_pwd\":\"secreter\"}"
Here is my script:
#!/bin/sh
SECRET_ID=$1
SECRET_STRING=$2
EXISTING_SECRET=`aws secretsmanager get-secret-value --secret-id $SECRET_ID | jq '.SecretString | fromjson'`
NEW_SECRET=`echo $EXISTING_SECRET $SECRET_STRING | jq -s 'add tostring'`
echo $NEW_SECRET # this is printed out for debug purposes
aws secretsmanager put-secret-value --secret-id $SECRET_ID --secret-string $NEW_SECRET
Note that it does print out "{\"db_1_pwd\":\"secret\",\"db_2_pwd\":\"secreter\"}" in the echo statement and if I type this on the command line:
>> aws secretsmanager put-secret-value --secret-id my-environment/my-application/secrets --secret-string "{\"db_1_pwd\":\"secret\",\"db_2_pwd\":\"secreter\"}"
it works.
Clearly the script is having issues w/ escaping the quotation marks. Any suggestions on how to fix this?
(It's probably something to do w/ bash as opposed to AWS)
Following script worked for me :
#!/bin/sh
SECRET_ID=$1
SECRET_STRING=$2
EXISTING_SECRET=`aws secretsmanager get-secret-value --secret-id $SECRET_ID | jq '.SecretString | fromjson'`
NEW_SECRET=`echo "$EXISTING_SECRET $SECRET_STRING" | jq -s add`
aws secretsmanager put-secret-value --secret-id $SECRET_ID --secret-string "$NEW_SECRET"