# Using Elastic Beanstalk with AWS Secrets Manager and AWS Systems Manager Parameter Store
<a name="AWSHowTo.secrets"></a>

This topic explains how you can use AWS Secrets Manager and AWS Systems Manager Parameter Store with your Elastic Beanstalk environment to securely store and retrieve sensitive information, such as credentials and API keys. Your application can retrieve stored secrets and parameters directly from these stores, using the APIs or command line tools of these services. 

Elastic Beanstalk also offers the ability to reference Secrets Manager and Systems Manager Parameter Store data in environment variables. This is a secure option for your application to natively access secrets and parameters stored by these services without having to manage API calls to them.

**Topics**
+ [Fetching secrets and parameters to Elastic Beanstalk environment variables](AWSHowTo.secrets.env-vars.md)
+ [Required IAM permissions for Elastic Beanstalk to access secrets and parameters](AWSHowTo.secrets.IAM-permissions.md)
+ [Using AWS Secrets Manager and AWS Systems Manager Parameter Store](AWSHowTo.secrets.Secrets-Manager-and-Parameter-Store.md)
+ [Troubleshooting secrets integration with Elastic Beanstalk environment variables](AWSHowTo.secrets.troubleshoot.md)

# Fetching secrets and parameters to Elastic Beanstalk environment variables
<a name="AWSHowTo.secrets.env-vars"></a>

Elastic Beanstalk can fetch values from AWS Secrets Manager and AWS Systems Manager Parameter Store during instance bootstrapping and assign them to environment variables for your application to use.

The following points summarize configuration, synchronization and access for using environment variables as secrets:
+ Configure your environment variables to store secrets by specifying the Amazon Resource Names (ARNs) for the secrets and parameters they will store.
+ When secret values are updated or rotated in Secrets Manager or Systems Manager Parameter Store, you must manually refresh your environment variables.
+ The secrets environment variables are available to [ebextension](platforms-linux-extend.config-files.md) container commands and [platform hooks](platforms-linux-extend.hooks.md).

**Supported platform versions**  
Platform versions that were released on or after [March 26, 2025](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/release-2025-03-26-windows.html) support AWS Secrets Manager secrets and AWS Systems Manager Parameter Store parameters configured as environment variables.

**Note**  
With the exception of the Docker and ECS based docker platforms, the Amazon Linux 2 platform versions don't support multiline variable values. For more information about multiline variable support, see [Multiline values](#AWSHowTo.secrets.multiline).

**Topics**
+ [Pricing](#AWSHowTo.secrets.pricing)
+ [Configure secrets as Elastic Beanstalk environment variables](#AWSHowTo.secrets.configure-env-vars)
+ [Extracting JSON keys from Secrets Manager secrets](#AWSHowTo.secrets.json)
+ [Best practices for secrets synchronization with Elastic Beanstalk environment variables](#AWSHowTo.secrets.rotating-secrets)
+ [Multiline values in Amazon Linux 2 environment variables](#AWSHowTo.secrets.multiline)

## Pricing
<a name="AWSHowTo.secrets.pricing"></a>

Standard charges apply for using Secrets Manager and Systems Manager Parameter Store. For more information about pricing, see the following websites:
+ [AWS Secrets Manager pricing](https://aws.amazon.com/secrets-manager/pricing)
+ [AWS Systems Manager pricing](https://aws.amazon.com/systems-manager/pricing/) (select *Parameter Store* from the content list)

Elastic Beanstalk doesn't charge for your application to reference environment secrets via environment variables. However, standard charges do apply to requests that Elastic Beanstalk makes to these services on your behalf.

## Configure secrets as Elastic Beanstalk environment variables
<a name="AWSHowTo.secrets.configure-env-vars"></a>

You can use the Elastic Beanstalk console, configuration files in `.ebextensions`, the AWS CLI, and the AWS SDK to configure secrets and parameters as environment variables. 

**Topics**
+ [Prerequisites](#AWSHowTo.secrets.configure-env-vars.prerequisites)
+ [Using the console](#AWSHowTo.secrets.configure-env-vars.console)
+ [Configuration using files in .ebextensions](#AWSHowTo.secrets.configure-env-vars.config-file)
+ [Configuration using the AWS CLI](#AWSHowTo.secrets.configure-env-vars.aws-cli)
+ [Configuration using the AWS SDK](#AWSHowTo.secrets.configure-env-vars.aws-sdk)

### Prerequisites
<a name="AWSHowTo.secrets.configure-env-vars.prerequisites"></a>

Before you can set up your environment variables to reference secrets you'll first need to complete the following steps.

**General procedure prior to environment variable configuration**

1. Create the Secrets Manager secrets or the Parameter Store parameters to store your sensitive data. For more information, see one or both of the following topics:
   + *Creating secrets* in [Using Secrets Manager to create and retrieve secrets](AWSHowTo.secrets.Secrets-Manager-and-Parameter-Store.md#AWSHowTo.secrets.Secrets-Manager)
   + *Creating parameters* in [Using Systems Manager Parameter Store to create and retrieve parameters](AWSHowTo.secrets.Secrets-Manager-and-Parameter-Store.md#AWSHowTo.secrets.SSM-parmameter-store)

1. Set up the required IAM permissions for your environment’s EC2 instances to fetch the secrets and parameters. For more information, see [Required IAM permissions](AWSHowTo.secrets.IAM-permissions.md).

### Using the console
<a name="AWSHowTo.secrets.configure-env-vars.console"></a>

You can use the Elastic Beanstalk console to configure secrets as environment variables.

**To configure secrets as environment variables in the Elastic Beanstalk console**

1. Open the [Elastic Beanstalk console](https://console.aws.amazon.com/elasticbeanstalk), and in the **Regions** list, select your AWS Region.

1. In the navigation pane, choose **Environments**, and then choose the name of your environment from the list.

1. In the navigation pane, choose **Configuration**.

1. In the **Updates, monitoring, and logging** configuration category, choose **Edit**.

1. Scroll down to **Runtime environment variables**.

1. Select **Add environment variable**.

1. For **Source** select either **Secrets Manager** or **SSM Parameter Store**.
**Note**  
For more information about the **Plain text** option in the drop-down, see [Configuring environment properties (environment variables)](environments-cfg-softwaresettings.md#environments-cfg-softwaresettings-console). 

1. For **Environment variable name** enter the name of the environment variable to hold the secret or parameter value.

1. For **Environment variable value** enter the ARN of the Systems Manager Parameter Store parameter or the Secrets Manager secret. During instance bootstrapping Elastic Beanstalk will initiate the value of the variable you entered in **Step 8** to the value stored in this ARN resource.

   The console validates if the value you enter is a valid ARN format for the store that you select in **Step 7**. However, it does not validate the existence of the resource specified by the ARN or if you have the [required IAM permissions](AWSHowTo.secrets.IAM-permissions.md) to access to it.

1. If you need to add more variables repeat **Step 6** through **Step 9**.

1. To save the changes choose **Apply** at the bottom of the page.

### Configuration using files in .ebextensions
<a name="AWSHowTo.secrets.configure-env-vars.config-file"></a>

You can use Elastic Beanstalk [configuration files](ebextensions.md) to configure secrets as environment variables. Use the [aws:elasticbeanstalk:application:environmentsecrets](command-options-general.md#command-options-general-elasticbeanstalk-application-environmentsecrets) namespace to define environment properties.

**Note**  
Secrets Manager automatically appends 6 random characters to secret names in the ARN format to ensure uniqueness.

**Example .ebextensions/options.config for environment secrets ([shorthand syntax](ebextensions-optionsettings.md#ebextensions-optionsettings.title))**  

```
option_settings:
  aws:elasticbeanstalk:application:environmentsecrets:
    MY_SECRET: arn:aws:secretsmanager:us-east-1:111122223333:secret:mysecret-AbCd12
    MY_PARAMETER: arn:aws:ssm:us-east-1:111122223333:parameter/myparam
```

**Example .ebextensions/options.config for environment secrets ([standard syntax](ebextensions-optionsettings.md#ebextensions-optionsettings.title))**  

```
option_settings:
  - namespace: aws:elasticbeanstalk:application:environmentsecrets
    option_name: MY_SECRET
    value: arn:aws:secretsmanager:us-east-1:111122223333:secret:mysecret-AbCd12
  - namespace: aws:elasticbeanstalk:application:environmentsecrets
    option_name: MY_PARAMETER
    value: arn:aws:ssm:us-east-1:111122223333:parameter/myparam
```

### Configuration using the AWS CLI
<a name="AWSHowTo.secrets.configure-env-vars.aws-cli"></a>

You can use the AWS Command Line Interface (AWS CLI) to configure secrets as Elastic Beanstalk environment variables. This section provides examples of the [create-environment](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/create-environment.html) and [update-environment](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/update-environment.html) commands with the [aws:elasticbeanstalk:application:environmentsecrets](command-options-general.md#command-options-general-elasticbeanstalk-application-environmentsecrets) namespace. When Elastic Beanstalk bootstraps the EC2 instances for the environments that these command reference, it initializes the environment variables with the fetched secret and the parameter values. It fetches these values from the respective ARNs of Secrets Manager and Systems Manager Parameter Store.

 

The two following examples use the [create-environment](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/create-environment.html) command to add a secret and a parameter, configured as environment variables named `MY_SECRET`and `MY_PARAMETER`. 

**Example of create-environment with secrets configured as environment variables (namespace options inline)**  

```
aws elasticbeanstalk create-environment \
--region us-east-1 \
--application-name my-app \
--environment-name my-env \
--platform-arn "arn:aws:elasticbeanstalk:::platform/Node.js 24 running on 64bit Amazon Linux 2023" \
--option-settings \
Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role \
Namespace=aws:elasticbeanstalk:application:environmentsecrets,OptionName=MY_SECRET,Value=arn:aws:secretsmanager:us-east-1:111122223333:secret:mysecret-AbCd12 \
Namespace=aws:elasticbeanstalk:application:environmentsecrets,OptionName=MY_PARAMETER,Value=arn:aws:ssm:us-east-1:111122223333:parameter/myparam
```



As an alternative, use an `options.json` file to specify the namespace options instead of including them inline.

**Example of create-environment with secrets configured as environment variables (namespace options in `options.json` file)**  

```
aws elasticbeanstalk create-environment \
--region us-east-1 \
--application-name my-app \
--environment-name my-env \
--platform-arn "arn:aws:elasticbeanstalk:::platform/Node.js 24 running on 64bit Amazon Linux 2023" \
--option-settings file://options.json
```

**Example**  

```
### example options.json ###
[
  {
    "Namespace": "aws:autoscaling:launchconfiguration",
    "OptionName": "IamInstanceProfile",
    "Value": "aws-elasticbeanstalk-ec2-role"
  },
  {
    "Namespace": "aws:elasticbeanstalk:application:environmentsecrets",
    "OptionName": "MY_SECRET",
    "Value": "arn:aws:secretsmanager:us-east-1:111122223333:secret:mysecret-AbCd12"
  },
  {
    "Namespace": "aws:elasticbeanstalk:application:environmentsecrets",
    "OptionName": "MY_PARAMETER",
    "Value": "arn:aws:ssm:us-east-1:111122223333:parameter/myparam"
  }
]
```





The next example configures environment variables, named `MY_SECRET`and `MY_PARAMETER`, to store a secret and a parameter for an existing environment. The [update-environment](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk/update-environment.html) command passes options with the same syntax as the `create-environment` command, either inline or with an `options.json` file. The following example demonstrates the command using the same `options.json` file that's also used in the previous example.



**Example of update-environment with secrets configured as environment variables (namespace options in `options.json` file)**  

```
aws elasticbeanstalk update-environment \
--region us-east-1 \
--application-name my-app \
--environment-name my-env \
--platform-arn "arn:aws:elasticbeanstalk:::platform/Node.js 24 running on 64bit Amazon Linux 2023" \
--option-settings file://options.json
```

### Configuration using the AWS SDK
<a name="AWSHowTo.secrets.configure-env-vars.aws-sdk"></a>

You can configure secrets and parameters as environment variables using the [AWS SDKs](https://docs.aws.amazon.com//code-library/). Similar to the `update-environment` and `create-environment` AWS CLI commands mentioned in the previous section, you can use the [CreateEnvironment](https://docs.aws.amazon.com//elasticbeanstalk/latest/api/API_CreateEnvironment.html) and [UpdateEnvironment](https://docs.aws.amazon.com//elasticbeanstalk/latest/api/API_UpdateEnvironment.html) API actions. Use the `OptionSettings` request parameter to specify the options of the [aws:elasticbeanstalk:application:environmentsecrets](command-options-general.md#command-options-general-elasticbeanstalk-application-environmentsecrets) namespace.

## Extracting JSON keys from Secrets Manager secrets
<a name="AWSHowTo.secrets.json"></a>

Platform versions that were released on or after [January 13, 2026](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/release-2026-01-13-al2023.html) support extracting specific fields from JSON-formatted Secrets Manager secrets by appending a colon and the JSON key name to the secret ARN. This allows you to reference individual key-value pairs within a secret rather than the entire secret.

### Syntax
<a name="AWSHowTo.secrets.json.syntax"></a>

To extract a specific JSON key from a secret, append `:json-key-name` to the secret ARN:

```
arn:aws:secretsmanager:region:account:secret:secret-name-XXXXXX:json-key-name
```

JSON key extraction can be configured using the same methods as regular environment secrets: console, configuration files in `.ebextensions`, AWS CLI, or AWS SDKs.

### Limitations
<a name="AWSHowTo.secrets.json.limitations"></a>
+ JSON key extraction is only supported for Secrets Manager secrets, **not** Systems Manager Parameter Store parameters.
+ Only top-level JSON keys are supported. Nested key access (e.g., `config.database.host`) and array indexing (e.g., `servers[0]`) are **not** supported. If you need to access nested values, extract the parent object and parse it in your application code. Nested objects and arrays accessed using the top-level key are serialized back to JSON format.
+ JSON key names cannot contain colon (`:`) characters. Colons are reserved as delimiters in the ARN syntax. If a JSON key name contains a colon, only the portion before the first colon is used as the key name, and any characters after the colon are ignored.
+ The ECS managed Docker platform uses the native ECS syntax for referencing secrets. For more information, see [Pass Secrets Manager secrets through Amazon ECS environment variables](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html) in the *Amazon Elastic Container Service Developer Guide*.

### Example
<a name="AWSHowTo.secrets.json.example"></a>

The following example demonstrates how different value types are extracted from a JSON secret. Given this secret:

```
{
  "stringKey": "value1",
  "numberKey": 42,
  "objectKey": {
    "nested": "data"
  },
  "arrayKey": ["item1", "item2"]
}
```

You can configure the extraction in `.ebextensions`:

**Example .ebextensions example with JSON key extraction**  

```
option_settings:
  aws:elasticbeanstalk:application:environmentsecrets:
    STRING_VAR: arn:aws:secretsmanager:us-east-1:111122223333:secret:mysecret-AbCd12:stringKey
    NUMBER_VAR: arn:aws:secretsmanager:us-east-1:111122223333:secret:mysecret-AbCd12:numberKey
    OBJECT_VAR: arn:aws:secretsmanager:us-east-1:111122223333:secret:mysecret-AbCd12:objectKey
    ARRAY_VAR: arn:aws:secretsmanager:us-east-1:111122223333:secret:mysecret-AbCd12:arrayKey
```

This results in the following environment variables:
+ `STRING_VAR=value1`
+ `NUMBER_VAR=42`
+ `OBJECT_VAR={"nested":"data"}`
+ `ARRAY_VAR=["item1","item2"]`

## Best practices for secrets synchronization with Elastic Beanstalk environment variables
<a name="AWSHowTo.secrets.rotating-secrets"></a>

This topic recommends best practices for your application to use environment secrets with Secrets Manager or the Systems Manager Parameter Store. Your Elastic Beanstalk application won't automatically receive updated values if the secret store data is updated or rotated. Elastic Beanstalk only pulls secrets into environment variables at the time of instance bootstrapping. 

### Refreshing your environment variables
<a name="AWSHowTo.secrets.rotating-secrets.refresh-env-vars"></a>

To trigger your Elastic Beanstalk environment to refetch the latest values of the secrets from their secret stores, we recommend that you run either the `UpdateEnvironment` or `RestartAppServer` operation. You can run these operations using the Elastic Beanstalk console, the AWS CLI, or the Elastic Beanstalk API. For more information, see [https://docs.aws.amazon.com//cli/latest/userguide/cli_elastic-beanstalk_code_examples.html](https://docs.aws.amazon.com//cli/latest/userguide/cli_elastic-beanstalk_code_examples.html), or the [AWS Elastic Beanstalk API Reference](https://docs.aws.amazon.com/elasticbeanstalk/latest/api/).

### Managing auto scaling effects on secret synchronization
<a name="AWSHowTo.secrets.rotating-secrets.as-effects"></a>

If a scale out event or instance replacement occurs after the secret store updates, the new instance that comes up will have the latest secret values from Secrets Manager or Systems Manager Parameter Store. Such an event can occur even if not all the other instances in the environment have been refreshed to retrieve the new secrets. 

**Important**  
You must ensure that your application is able to use two different secret values for the same environment variable. This accommodates events where a secret update occurs in Secrets Manager or Systems Manager Parameter Store, followed by a scale out or instance replacement in your environment, while the other instances are pending environment variable refresh. During the wait period for refresh, not all of the environment instances will have the same values for the secret store environment variables.

An example of such a use case is a database credential rotation. When a scale out event follows the credential rotation, the environment secrets referenced by the newly bootstrapped instances contain the updated database credentials. However, the environment secrets referenced by the existing instances retain the old value until they are refreshed by the `UpdateEnvironment` or `RestartAppServer` operations.

## Multiline values in Amazon Linux 2 environment variables
<a name="AWSHowTo.secrets.multiline"></a>

*Multiline* values are composed of more than one line and include a newline character. With the exception of Docker and ECS-based Docker platforms, platforms that run on Amazon Linux 2 don't support multiline values for environment variables

**Note**  
Elastic Beanstalk will fail the deployment of affected environments if it detects a multiline value.



The following options can serve as workarounds or solutions to the multiline issue:
+ Upgrade your Amazon Linux 2 environment to Amazon Linux 2023. For more information, see [Migration from Amazon Linux 2 to Amazon Linux 2023](using-features.migration-al.generic.from-al2.md).
+ Remove newline characters from your secret values. One example approach is to Base64 encode your values before storing them in the secret store. Your application would then need to decode the value back into the original format when it references it from the environment secret variable.
+ Design your application code to retrieve the data directly from Secrets Manager or Systems Manager Parameter Store. For more information, see *Retrieving secrets* in [Using Secrets Manager](AWSHowTo.secrets.Secrets-Manager-and-Parameter-Store.md#AWSHowTo.secrets.Secrets-Manager) or *Retrieving parameters* [Using Systems Manager Parameter Store](AWSHowTo.secrets.Secrets-Manager-and-Parameter-Store.md#AWSHowTo.secrets.SSM-parmameter-store).

# Required IAM permissions for Elastic Beanstalk to access secrets and parameters
<a name="AWSHowTo.secrets.IAM-permissions"></a>

You must grant the necessary permissions to your environment’s EC2 instances to fetch the secrets and parameters for AWS Secrets Manager and AWS Systems Manager Parameter Store. Permissions are provided to the EC2 instances via an EC2 [instance profile role.](iam-instanceprofile.md)

The following sections list the specific permissions that you need to add to an EC2 instance profile, depending on which service you use. Follow the steps provided in [Update the permissions policy for a role](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_update-role-permissions.html) in the *IAM User Guide* to add these permissions.

**IAM permissions for the ECS managed Docker platform**  
The ECS managed Docker platform requires additional IAM permissions to the ones provided in this topic. For more information about all of the required permissions for your ECS managed Docker platform environment to support Elastic Beanstalk environment variables integration with secrets, see [Execution Role ARN format](create_deploy_docker_v2config.md#create_deploy_docker_v2config_executionRoleArn_format). 

**Topics**
+ [Required IAM permissions for Secrets Manager](#AWSHowTo.secrets.IAM-permissions.secrets-manager)
+ [Required IAM permissions Systems Manager Parameter Store](#AWSHowTo.secrets.IAM-permissions.ssm-paramter-store)

## Required IAM permissions for Secrets Manager
<a name="AWSHowTo.secrets.IAM-permissions.secrets-manager"></a>

The following permissions grant access to fetch encrypted secrets from the AWS Secrets Manager store:
+ secretsmanager:GetSecretValue
+ kms:Decrypt

The permission to decrypt an AWS KMS key is only required if your secret uses a customer managed key instead of the default key. The addition of your custom key ARN adds the permission to decrypt the customer managed key. 

**Example policy with Secrets Manager and KMS key permissions**    
****  

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:111122223333:secret:my-secret",
                "arn:aws:kms:us-east-1:111122223333:key/my-key"
            ]
        }
    ]
}
```

## Required IAM permissions Systems Manager Parameter Store
<a name="AWSHowTo.secrets.IAM-permissions.ssm-paramter-store"></a>

The following permissions grant access to fetch encrypted parameters from the AWS Systems Manager Parameter Store:
+ ssm:GetParameter
+ kms:Decrypt 

The permission to decrypt an AWS KMS key is only required for `SecureString` parameter types that uses a customer managed key instead of a default key. The addition of your custom key ARN adds the permission to decrypt the customer managed key. The regular parameter types that aren't encrypted, `String` and `StringList`, don’t need an AWS KMS key. 

**Example policy with Systems Manager and AWS KMS key permissions**    
****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:111122223333:parameter/my-parameter",
                "arn:aws:kms:us-east-1:111122223333:key/my-key"
            ]
        }
    ]
}
```

# Using AWS Secrets Manager and AWS Systems Manager Parameter Store
<a name="AWSHowTo.secrets.Secrets-Manager-and-Parameter-Store"></a>

This topic provides a brief introduction of AWS Secrets Manager and AWS Systems Manager Parameter Store, pricing information, and references to learn more about creating and retrieving secrets, using both the console and programmatic options.

**About Secrets Manager**  
AWS Secrets Manager helps you manage, retrieve, and rotate secrets throughout their lifecycles. Examples of secret data you can manage include database credentials, application credentials, OAuth tokens, and API keys. Secrets Manager enables you to configure an automatic rotation schedule for your secrets.

**About Systems Manager Parameter Store**  
Parameter Store is a tool in AWS Systems Manager. It provides secure, hierarchical storage for configuration data management and secrets management. You can manage important configuration data as parameter values. Examples of data that you can manage with Parameter Store includes Amazon Machine Image (AMI) IDs, license codes, passwords, and database strings.

**Pricing**  
Standard charges apply for using Secrets Manager and Systems Manager Parameter Store. For more information about pricing, see the following websites:  
[AWS Secrets Manager pricing](https://aws.amazon.com/secrets-manager/pricing)
[AWS Systems Manager pricing](https://aws.amazon.com/systems-manager/pricing/) (select *Parameter Store* from the content list)

**Topics**
+ [Using Secrets Manager to create and retrieve secrets](#AWSHowTo.secrets.Secrets-Manager)
+ [Using Systems Manager Parameter Store to create and retrieve parameters](#AWSHowTo.secrets.SSM-parmameter-store)

## Using Secrets Manager to create and retrieve secrets
<a name="AWSHowTo.secrets.Secrets-Manager"></a>

You can create and retrieve Secrets Manager secrets using the AWS Secrets Manager console, the AWS CLI, or the AWS SDK. Refer to the following resources to learn more about different methods to create and retrieve Secrets Manager secrets.

**Creating secrets**
+ Console – [Create an AWS Secrets Manager secret (console)](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html) in the *AWS Secrets Manager User Guide* 
+ AWS CLI – [AWSCLI](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html#create_secret_cli) in the *AWS Secrets Manager User Guide* 
+ AWS SDK – [AWS SDK](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html#create_secret_sdk) in the *AWS Secrets Manager User Guide* 

**Retrieving secrets**
+ Console – [Get a secret value (console)](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets-console.html) in the *AWS Secrets Manager User Guide*
+ AWS CLI – [Get a secret value (AWS CLI)](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cli.html) in the *AWS Secrets Manager User Guide*
+ AWS SDK – [Code examples for Secrets Manager using AWS SDKs ](https://docs.aws.amazon.com/code-library/latest/ug/secrets-manager_code_examples.html) in the *AWS SDK Code Examples Code Library*
+ Other methods – [Get secrets from AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html) in the *AWS Secrets Manager User Guide* 

For more information about AWS Secrets Manager, see [What is AWS Secrets Manager?](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) in the *AWS Secrets Manager User Guide*.

## Using Systems Manager Parameter Store to create and retrieve parameters
<a name="AWSHowTo.secrets.SSM-parmameter-store"></a>

You can create and retrieve Parameter Store parameters using the AWS Systems Manager console, the AWS CLI, or the AWS SDK. Refer to the following resources to learn more about different methods to create and retrieve Parameter Store parameters.

**Creating parameters**
+ Console – [Create a Systems Manager parameter (console)](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html) in the *AWS Systems Manager User Guide*
+ AWS CLI – [Create a Systems Manager parameter (AWS CLI)](https://docs.aws.amazon.com/systems-manager/latest/userguide/param-create-cli.html) in the *AWS Systems Manager User Guide*
+ AWS SDK – [Use PutParameter with an AWS SDK or AWS CLI](https://docs.aws.amazon.com/code-library/latest/ug/ssm_example_ssm_PutParameter_section.html) in the *AWS SDK Code Examples Code Library*

**Retrieving parameters**
+ Console – [Searching for a parameter (console)](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-search.html#parameter-search-console) in the *AWS Systems Manager User Guide*
+ AWS CLI – [Use GetParameter with an AWS SDK or AWS CLI](https://docs.aws.amazon.com/code-library/latest/ug/ssm_example_ssm_GetParameter_section.html) in the *AWS SDK Code Examples Code Library*
+ AWS SDK – [Use GetParameter with an AWS SDK or AWS CLI](https://docs.aws.amazon.com/code-library/latest/ug/ssm_example_ssm_GetParameter_section.html) in the *AWS SDK Code Examples Code Library*

For more information, see [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) in the *AWS Systems Manager User Guide*.

# Troubleshooting secrets integration with Elastic Beanstalk environment variables
<a name="AWSHowTo.secrets.troubleshoot"></a>

**Try Amazon Q Developer CLI for AI-assisted troubleshooting**  
 Amazon Q Developer CLI can help you troubleshoot environment issues quickly. The Q CLI provides solutions by checking environment status, reviewing events, analyzing logs, and asking clarifying questions. For more information and detailed walkthroughs, see [Troubleshooting Elastic Beanstalk Environments with Amazon Q Developer CLI ](https://aws.amazon.com/blogs/devops/troubleshooting-elastic-beanstalk-environments-with-amazon-q-developer-cli/) in the AWS blogs.

This section provides guidance for troubleshooting issues with secrets in your Elastic Beanstalk environment.

**Event:** *Instance deployment failed to get one or more secrets*

This message indicates that Elastic Beanstalk was not able to fetch one or more of the secrets specified during your application deployment.
+ Check that the resources specified by the ARN values in your environment variable configuration exist. 
+ Confirm that your Elastic Beanstalk EC2 instance profile role has the [required IAM permissions](AWSHowTo.secrets.IAM-permissions.md#AWSHowTo.secrets.IAM-permissions.secrets-manager) to access the resources. 
+ If this event was triggered through the `RestartAppServer` operation, once the issue is fixed, retry the `RestartAppServer` call to resolve the issue. 
+ If the event was triggered through an `UpdateEnvironment` call, retry the `UpdateEnvironment` operation. 

For examples of these commands, see [https://docs.aws.amazon.com//cli/latest/userguide/cli_elastic-beanstalk_code_examples.html](https://docs.aws.amazon.com//cli/latest/userguide/cli_elastic-beanstalk_code_examples.html). For more information about the API actions for these operations, see the *[AWS Elastic Beanstalk API Reference](https://docs.aws.amazon.com/elasticbeanstalk/latest/api/)*.

**Event:** *Instance deployment detected one or more multiline environment values, which are not supported for this platform*

Multiline variables are not supported for Amazon Linux 2 platforms, excluding Docker and ECS managed Docker platforms. For available options to proceed, see [Multiline values](AWSHowTo.secrets.env-vars.md#AWSHowTo.secrets.multiline).

**Event:** *CreateEnvironment fails when a secret is specified*

When `CreateEnvironment` fails and you have secrets as environment variables, you need to address the underlying issue and then use `UpdateEnvironment` to complete the environment setup. Do not use `RestartAppServer`, as it will not be sufficient to bring the environment up in this situation. For examples of these commands, see [https://docs.aws.amazon.com//cli/latest/userguide/cli_elastic-beanstalk_code_examples.html](https://docs.aws.amazon.com//cli/latest/userguide/cli_elastic-beanstalk_code_examples.html). For more information about the API actions for these operations, see the *[AWS Elastic Beanstalk API Reference](https://docs.aws.amazon.com/elasticbeanstalk/latest/api/)*.