# Conversion between AWS Secrets Manager and Kubernetes Secrets

### Kubernetes Secret to AWS Secret Manager

AWS SecretManager requires the secrets to be in decoded format. However, Kubernetes Secrets are encoded in base64 and require conversion. We can use `jq` to do this for us.

Once the secrets are decoded, we can pass this key-value pair to AWS CLI to create a Secret Manager object.

```bash
kubectl get secret app-config -o jsonpath='{.data}' | jq -r 'reduce to_entries[] as {$key, $value} (null; .[$key] = ($value|@base64d))' > secret.json

aws secretsmanager create-secret --name app-config --secret-string file://secret.json
```

### AWS Secret Manager to Kubernetes Secret

AWS CLI can fetch decoded secrets from Secret Manager. However, `kubectl` requires the secrets to be in `env` format if there are plenty of them. Once again, we can use `jq` to map them in `env` like and later this `env` file can be used to create the Kubernetes Secret.

```bash
aws secretsmanager get-secret-value --secret-id app-config | jq -r '.SecretString | fromjson | to_entries[] | "(.key)=(.value)"' > secret.env

kubectl create secret generic app-config --from-env-file=secret.env
```