Manage AWS Service Accounts

These CLI commands can be used to manage service accounts that use the SecretHub AWS Identity Provider. For details about the Identity Provider, see the AWS Integration Reference.

All Commands

To manage AWS service accounts, you can use the following commands:


To create a new service account that uses the AWS identity provider, you can use:

secrethub service aws init [options] <namespace>/<repo> 

Note that the CLI requires encryption rights on the KMS key that you pass, so the appropriate AWS credentials should be configured on the system where you run this command. For details on how this can be done, see the AWS CLI documentation.

If no system-wide default for the AWS region is provided (e.g. with $AWS_REGION), the AWS-region where the KMS key resides should be explicitly provided to this command with the --region flag.


<namespace>/<repo> (string)
The service account is attached to this repository.


--kms-key (string)
The ID or ARN of the KMS-key to be used for encrypting the service’s account key. If this value is not provided as a flag, you will be prompted for its value.
--role (string)
The role name or ARN of the IAM role that should have access to this service account. If this value is not provided as a flag, you will be prompted for its value.
--region (string)
The AWS region that should be used for KMS. Only required if the region cannot be determined from the system-wide AWS configuration or the KMS-key ARN. If this value is not provided as a flag and is required, you will be prompted for its value.
--description (string)
A description for the service.
--permission (string)
Create an access rule giving the service account permission on a directory. Accepted permissions are read, write and admin. Use --permission <permission> to give permission on the root of the repo and --permission <subdirectory>:<permission> to give permission on a subdirectory.


To list all AWS service accounts attached to a repository, you can use the service aws ls command:

secrethub service aws ls [options] <namespace>/<repo> 

The service aws ls command prints out the details of all services, including the IAM Role and KMS Key they use.


<namespace>/<repo> (string)
The repository to list service accounts for.


-q, --quiet (boolean)
Only print service IDs.
-T, --timestamp (boolean)
Show timestamps formatted to RFC3339 instead of human readable durations.