This guide explains how to use AwsSecretsManagerTools as a small, opinionated wrapper around AWS Secrets Manager for “env-map” secrets (JSON object maps of environment variables).
If you’re looking for the CLI or plugin behavior instead, see the aws secrets plugin guide.
npm i @karmaniverous/aws-secrets-manager-tools
This package is ESM-only (Node >= 20).
import { AwsSecretsManagerTools } from '@karmaniverous/aws-secrets-manager-tools';
This library treats SecretString as JSON with the following shape:
{ "KEY": "value", "OPTIONAL": null }
string or null.null is decoded as undefined (because JSON cannot represent undefined).SecretBinary) are not supported by this wrapper.The canonical payload type used by this wrapper is get-dotenv’s ProcessEnv:
import type { ProcessEnv } from '@karmaniverous/get-dotenv';
new AwsSecretsManagerTools(...)Create a configured instance (recommended usage):
import { AwsSecretsManagerTools } from '@karmaniverous/aws-secrets-manager-tools';
const tools = new AwsSecretsManagerTools({
clientConfig: {
region: 'us-east-1',
logger: console,
},
xray: 'auto',
});
new AwsSecretsManagerTools({ ... }) accepts:
clientConfig?: SecretsManagerClientConfig
clientConfig.logger is provided, it must implement debug, info, warn, and error (the unified get-dotenv Logger contract). The wrapper validates this contract up front (it does not polyfill missing methods).xray?: 'auto' | 'on' | 'off'
'auto' (default): enable only when AWS_XRAY_DAEMON_ADDRESS is set.'on': force capture (requires AWS_XRAY_DAEMON_ADDRESS and aws-xray-sdk).'off': never enable capture.The instance exposes a few helpful properties:
tools.client: the effective SecretsManagerClient (captured/instrumented when X-Ray is enabled)tools.clientConfig: the effective config used to construct the base clienttools.logger: the validated console-like loggertools.xray: { mode, enabled, daemonAddress? } reflecting the effective runtime decisionWhen you need AWS Secrets Manager APIs that aren’t wrapped by this package, use tools.client directly and import AWS SDK command classes as needed:
import { ListSecretsCommand } from '@aws-sdk/client-secrets-manager';
import { AwsSecretsManagerTools } from '@karmaniverous/aws-secrets-manager-tools';
const tools = new AwsSecretsManagerTools({
clientConfig: { region: 'us-east-1', logger: console },
});
const res = await tools.client.send(new ListSecretsCommand({}));
console.log(res.SecretList?.length ?? 0);
readEnvSecret(...)Read and decode an env-map secret:
const env = await tools.readEnvSecret({ secretId: 'my-app/dev' });
{ secretId, versionId? }SecretString is missing (binary secrets are not supported)SecretString is invalid JSONstring | nullupdateEnvSecret(...)Write a new secret version for an existing secret:
await tools.updateEnvSecret({
secretId: 'my-app/dev',
value: { API_URL: 'https://example.com' },
});
Notes:
versionId (optional) is forwarded as ClientRequestToken for idempotency.createEnvSecret(...)Create a new secret with an env-map payload:
await tools.createEnvSecret({
secretId: 'my-app/dev',
value: { API_URL: 'https://example.com' },
description: 'my-app dev env',
});
upsertEnvSecret(...)Update the secret if it exists, otherwise create it:
const mode = await tools.upsertEnvSecret({
secretId: 'my-app/dev',
value: { API_URL: 'https://example.com' },
});
// mode is 'updated' or 'created'
Behavior note:
ResourceNotFoundException. Other AWS errors are re-thrown.deleteSecret(...)Delete a secret (recoverable by default):
await tools.deleteSecret({ secretId: 'my-app/dev' });
Options:
{ recoveryWindowInDays?: number } to set a specific recovery window{ forceDeleteWithoutRecovery?: boolean } to permanently delete (dangerous)X-Ray capture is guarded:
aws-xray-sdk'auto' mode, capture is enabled only when AWS_XRAY_DAEMON_ADDRESS is set.'auto' mode, if the daemon address is set but aws-xray-sdk is not installed, construction throws with a clear message.aws secrets pull|push|delete), see the aws secrets plugin guide.