Extracting a Specific Key from AWS Secrets Manager (For AWS App Runner)
1. Context
When deploying Backend projects with AWS App Runner, securely managing environment variables is always a top priority.
App Runner allows us to reference these variables directly from AWS Secrets Manager via the ARN (Amazon Resource Name). However, a problem arises: If your Secret is stored as a JSON object with multiple Key-Value pairs, how does App Runner know you only need a single value (e.g., DB_PASSWORD) instead of the entire JSON?
Many documentation sources don’t explain this clearly, which can cause your application to read data in the wrong format.
2. The Solution: Extended ARN Format
To extract a specific Key, you need to use the full ARN format of Secrets Manager. Here’s the formula that not everyone knows:
arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret-name>:<json-key>:<version-stage>:<version-id>
Key Components to Note:
<json-key>: This is the name of the Key you want to retrieve from the JSON.<version-stage>and<version-id>: These two parameters can be left empty.- Note: If you leave the Version empty, AWS will default to the latest version (
AWSCURRENT).
3. Practical Example
Suppose you have a Secret stored as JSON like this:
{
"username": "admin_user",
"password": "super_secret_password"
}
To extract only the password value for App Runner’s environment variable, use the following ARN format:
arn:aws:secretsmanager:ap-southeast-1:123456789012:secret:my-app-secrets:password::
Explanation: The two trailing colons (
::) represent that we’re skippingversion-stageandversion-id, but the separators must still be included to maintain the correct format.
4. Why Is This Approach Optimal?
- High security: You only grant the application access to exactly the information it needs.
- Simplified code: Your Backend will receive a plain text value instead of having to parse a JSON string again.
- Centralized management: You can store all Keys for a Project under a single Secret Name while still extracting individual Keys for different environment variables.
Summary
Understanding the Secrets Manager ARN format helps you manage sensitive data flows in App Runner more professionally. Remember the rule: Secret Name -> Key -> Version.