How do read a secret marked as sensitive locally

My terraform setup creates an AWS aurora instance, and I want to be able to read the password to connect to it using psql from one of my servers. Here is the relevant config:

module "hn_db" {
  source  = "terraform-aws-modules/rds-aurora/aws"
  version = "~> 3.0"

  name = "hn-aurora-pg"

  engine         = "aurora-postgresql"
  engine_version = "12.4"

 # ...

output "hn_db_rds_cluster_master_password" {
  description = "The master password"
  value       = module.hn_db.this_rds_cluster_master_password
  sensitive   = false

The output doesn’t show this data:

hn_db_rds_cluster_master_password = <sensitive>

I am unable to read it via terraform console either. Other than opening the state file on S3 manually and reading the json what’s a better/easier way to read sensitive data locally?

Hi @minhajuddin,

It’s by design that sensitive values don’t appear in the UI, because that is what the concept of “sensitive” in Terraform exists to prevent.

However, since this hiding is only cosmetic in the UI, and thus the data in question is still available in the latest state snapshot, you can see the raw value by intentionally reading that output value using one of Terraform’s interfaces intended for machine consumption rather than human consumption. For example:

terraform output -json hn_db_rds_cluster_master_password

Sensitive value masking is only for the human-oriented UI and not for the machine-readable interfaces, so Terraform will show the output value in cleartext if you request it as JSON. You can also, in principle, make use of this to avoid having the password shown in clear in your logs, by writing a small script which runs terraform output -json and then parses the result and then automatically executes psql using the output values.

If you design it right, that can allow the sensitive value to flow from Terraform into the script and to psql without it ever being displayed on-screen or being recorded on your system’s clipboard. (Though if you pass the password on the command line, beware that it’ll then typically be visible to other users on the same system via the process metadata.)


Thank you for such a comprehensive answer :smiley: This is exactly what I needed.