AWS Secrets Manager

Pull secrets from AWS Secrets Manager into your local .env file using the AWS CLI.

Prerequisites

AWS CLI

The extension uses the aws CLI to retrieve secrets. Install it from docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html.

Configure credentials:

aws configure
# or use named profiles / environment-variable credentials

Running the Sync

Run ENV Manager Pro: Pull from AWS Secrets Manager from the Command Palette.

You'll be prompted for:

Secret Name or ARN — the identifier of the secret in AWS Secrets Manager
AWS Region — e.g. us-east-1

How It Works

The extension runs:

aws secretsmanager get-secret-value \
  --secret-id <name-or-arn> \
  --region <region> \
  --query SecretString \
  --output text

The returned SecretString can be:

JSON format (most common):

{ "DATABASE_URL": "postgres://...", "API_KEY": "sk-..." }

The extension parses this and adds each key to your .env file.

Plain string format:

DATABASE_URL=postgres://...
API_KEY=sk-...

The extension parses this as standard .env format.

Permissions Required

Your AWS credentials need the secretsmanager:GetSecretValue permission on the target secret:

{
  "Effect": "Allow",
  "Action": "secretsmanager:GetSecretValue",
  "Resource": "arn:aws:secretsmanager:us-east-1:123456789:secret:my-app-secrets"
}

Security

No AWS credentials are stored by the extension — it relies entirely on the AWS CLI's configured credential chain (environment variables, ~/.aws/credentials, IAM roles, etc.).

Prerequisites​

AWS CLI​

Running the Sync​

How It Works​

Permissions Required​

Security​