Confused on accessing secrets using locals, function, user variables

If I am using HCL template, what method should I be using to access secrets from AWS Secrets Manager? I’d like to retrieve the secret and set an environment variable MY_SECRET with the value of the secret? There are multiple documents referencing examples on how to retrieve secrets but I am a bit confused on the difference between locals, function within locals and user variables.

#1)  using locals and data source


data "amazon-secretsmanager" "basic-example" {

  name = "packer_test_secret"

  key  = "packer_test_key"

  version_stage = "example"


locals {

  value         =

  secret_string =

  version_id    =

  secret_value  = jsondecode(["packer_test_key"]


# 2) using function


locals {

  secret = aws_secretsmanager("my_secret", null)


source "null" "first-example" {

  communicator = "none"


build {

  name = "my-build-name"

  sources = ["null.first-example"]

  provisioner "shell-local" {

    environment_vars = ["MY_SECRET=${local.secret}"]



# 3) using user variables



  "variables": {

    "password": "{{ aws_secretsmanager `globalpassword` }}"



Hi @terramax thanks for such a great question. We will work on updating the documentation to help make things less confusing for other folks.

In the meantime, the approach you want to take here is the datasource with a HCL2 template, as JSON templates are considered legacy and because the datasource is the preferred way to access secretsmanager in HCL2 templates.

The secretsmanager function in HCL2 (your option 2) was rewritten to work with the locals and local blocks to have parity with the JSON templates (your option 3). But the use of the aws_secretsmanager is also considered legacy with the creation of the datasource.

That said if you are using JSON templates the datassource will not work with JSON. So you will need to migrate your template over to HCL2. You can achieve this using the packer hcl2_upgrade command.

If you can not use HCL2 templates and must use JSON your third of using user variables in JSON is the only supported way in JSON.

Please let me know if this helps bring some clarity around the options you listed above.

This was helpful, thanks!