A beautiful TUI (Terminal User Interface) for viewing and managing AWS Secrets Manager secrets, built with Go and Bubble Tea.
- Beautiful TUI: Built with Charm's Bubble Tea framework for a polished terminal experience
- AWS Integration: Uses the AWS SDK for Go v2 to interact with Secrets Manager
- Credential Management: Automatically reads AWS credentials from
~/.aws/(same as AWS CLI) - On-Demand Secret Fetching: Secrets are only decrypted when you explicitly request them (security-first)
- Clipboard Support: Copy secret values to clipboard in both plain text and JSON formats
- Profile & Region Switching: Easily switch between AWS profiles and regions
- Pagination: Handles large numbers of secrets with built-in pagination
- Go 1.21 or later
- AWS credentials configured (via
aws configureor environment variables) - Required IAM permissions (see below)
# Clone the repository
git clone https://github.com/benjamingriff/secretsrc.git
cd secretsrc
# Build the binary
go build -o secretsrc cmd/secretsrc/main.go
# Run the app
./secretsrcgo install github.com/benjamingriff/secretsrc/cmd/secretsrc@latestSecret Src uses the same credential chain as the AWS CLI:
- Environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) - Shared credentials file (
~/.aws/credentials) - Shared config file (
~/.aws/config)
To set up credentials:
aws configureYou can also use the AWS_PROFILE and AWS_REGION environment variables to override defaults:
export AWS_PROFILE=myprofile
export AWS_REGION=us-west-2
./secretsrcYour AWS user or role needs the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.*.amazonaws.com"
}
}
}
]
}Note: The KMS decrypt permission is only needed if your secrets are encrypted with custom KMS keys.
↑/k- Move up↓/j- Move downenter- View secret detailsp- Switch AWS profileg- Switch AWS regionr- Refresh secret listn- Load next page (when available)?- Toggle helpq/esc- Quit
v- View secret value (decrypt and display)c- Copy secret value to clipboard (plain text)j- Copy secret value to clipboard (JSON formatted)esc/q- Back to secret listctrl+c- Force quit
↑/k- Move up in list↓/j- Move down in listenter- Select profile/region and switchesc/q- Cancel and go back/- Filter/search (built-in)
- Browse Secrets: Launch the app to see a list of all secrets in your current AWS region
- Switch Profile/Region: Press
pto select a different AWS profile orgto select a different region - View Details: Press
enteron a secret to see its metadata (name, ARN, last modified date) - Decrypt Secret: Press
vto fetch and decrypt the secret value (on-demand for security) - Copy to Clipboard: Press
cfor plain text orjfor JSON-formatted copy
- On-Demand Fetching: Secret values are never automatically fetched or displayed. You must explicitly press
vto decrypt them. - Memory Clearing: Secret values are cleared from memory when you navigate away from the detail screen.
- Alternate Screen: The app uses the terminal's alternate screen buffer, so secrets don't remain in scrollback history.
- Clipboard Persistence: Be aware that copied secrets will remain in your clipboard after the app closes. Clear your clipboard if needed.
secretsrc/
├── cmd/
│ └── secretsrc/
│ └── main.go # Application entry point
├── pkg/
│ ├── aws/
│ │ ├── client.go # AWS client initialization
│ │ ├── secrets.go # Secrets Manager operations
│ │ └── config.go # Profile/region management
│ ├── models/
│ │ └── secret.go # Data structures
│ └── ui/
│ ├── app.go # Main Bubble Tea model
│ ├── view.go # View rendering
│ ├── keys.go # Key bindings
│ ├── styles.go # Lipgloss styles
│ └── components/
│ ├── list.go # Secret list component
│ ├── profile_selector.go # Profile selection
│ └── region_selector.go # Region selection
├── go.mod
├── go.sum
└── README.md
- Run
aws configureto set up your credentials - Or set
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables
- Ensure your AWS user/role has the required IAM permissions (see above)
- Check that you're using the correct AWS profile
- Try switching to a different region (future feature)
- Verify that secrets exist in the current region via AWS Console
- The
atotto/clipboardlibrary requires X11 on Linux - Install
xcliporxsel:sudo apt-get install xclip
- List secrets with pagination
- View secret details
- On-demand secret value fetching
- Clipboard copy (plain text & JSON)
- Interactive profile selector
- Interactive region selector
- Search/filter secrets
- Secret versioning support
- Create/update/delete secrets
- Secret rotation status
- Export secrets to file
Contributions are welcome! Please feel free to submit a Pull Request.
MIT License - see LICENSE file for details
- Built with Bubble Tea by Charm
- Styled with Lipgloss
- Uses Bubbles components
- AWS SDK for Go v2