Docs: Improving examples for fetching secrets

[chubzor]

What were you searching in the docs?

I wanted to set up pulling secrets for my project and replacing my custom code with lambda power tools parameters functionality.

Is this related to an existing documentation section?

https://docs.powertools.aws.dev/lambda/python/latest/utilities/parameters/#fetching-secrets

How can we improve?

The example has
api_key: Any = parameters.get_secret("/lambda-powertools/api-key") headers: dict = {"X-API-Key": api_key}

This reads as pulling a value for an api-key key
But the value of api-key can be a mapping of keys and values and produce a dict.

In my code I've set up secrets where I've got
project-name/staging

Under that I have key value mapping of:
DB_CONNECTION_STRING
API_KEY

And wanted to do: parameters.get_secret("project-name/staging/DB_CONNECTION_STRING") to pull the value under a key within a secret.

Got a suggestion in mind?

Adding another nested example to show the difference between a plain string and key/value results.

Acknowledgment

• I understand the final update might be different from my proposed suggestion, or refused.

[boring-cyborg]

Thanks for opening your first issue here! We'll come back to you as soon as we can.
In the meantime, check out the #python channel on our Powertools for AWS Lambda Discord: Invite link

[dreamorosi]

Hi @chubzor, thank you for opening the issue.

I'm not 100% sure I understand correctly, but if I am, it looks like you have a secret stored as key/value pairs like this

except in your case the keys are DB_CONNECTION_STRING and API_KEY.

If this is the case, then you still need to retrieve the entire secret since AWS Secrets Manager treats it as a single secret. Once retrieved the entire object, then you can parse it and grab the key/val that you need.

Specifically, using Parameters from Powertools for AWS, you could use the transform feature, and do something like this:

from typing import Any

import requests

from aws_lambda_powertools.utilities import parameters
from aws_lambda_powertools.utilities.typing import LambdaContext


def lambda_handler(event: dict, context: LambdaContext):

    try:
        configs: Any = parameters.get_secret("my-project/staging", transform="json")

        api_key = config["API_KEY"]

        # ...
    except parameters.exceptions.GetParameterError as error:
        return {"comments": None, "message": str(error), "statusCode": 400}

If instead you want to be able to get each key/val independently, you'll have to store them separately with each key/val in their own secret.

---

Please let me know if this answers your question or if I misunderstood your use case.