amazon-web-services aws-secrets-manager secret-key

Secret can't be converted into key names and value pairs

While creating a secret using python embedding in bash, I am getting 'AWS Secret can't be converted into key names and value pairs'. Firstly wrote all in bash using aws cli command where I was also getting this error then read in one of the articles to use json.dumps function of python which also doesn't work. Any ideas. Please see code and image below.

Note:

It work with short string "hello: world", but with a long string (key and /or csr) it gives aforementioned error.

Moreover, key values are there in a plain text but not in Key/value section is what an issue is.

cat << EOF > pyscript.py
#!/usr/bin/python3 -tt
import json
import boto3    

client = boto3.client('secretsmanager')
key_info = json.dumps([{"csr":"""$csr"""},{"config":"""$config"""},{"PrivateKey":"""$prvpem"""}])
response = client.create_secret(
    Name='marw',
    KmsKeyId='alias/SecretsMgr',
    SecretString=key_info
)
print(response)
EOF

chmod 770 pyscript.py
./pyscript.py

printf "This is BASH again\n"

Tried AWS cli as given below with the same issue. Key pairs are entered in plaintext but not in key/value section

export prvpem=`cat ${keyfile}`
export csr=`cat ${csrfile}`
export config=`cat ${key_algorithm}-$line.cfn`
# echo  -e "${BLU}${prvpem}${WHT}"
aws secretsmanager create-secret --name marwahas51 \
    --description "Values for this environments wildcard certifcate in ACM" \
    --secret-string "{\"Privatekey\":\"$prvpem\",\"csr\":\"$csr\",\"config\":\"$config\"}" \
    --kms-key-id "alias/SecretsMgr" \
   --tags "Key=Environment,Value=Dev"

Edit: Scenario 1 When string is --secret-string '{"Privatekey": "$prvpem"}' Output is:

Scenario 2

When string is

--secret-string "{\"Privatekey\":\"$prvpem\"}" \

Output is:

Solution

Thankyou @johnRotenstein and @kichik.

I tried to play around strings and escape characters, but nothing worked. When @kichik mentioned "You can't have new lines in the middle of a JSON string", then I thought of encoding key, csr and config file to base 64 which will be all alphanumeric characters, which finally worked. When I read any of the files back, I will decode a string.

# Encode private key, csr and confile file to base64 to save string as json in to ASM

base64_private_key=$(cat ${keyfile} |base64 -w0)
base64_csr=$(cat ${csrfile} |base64 -w0)
base64_config=$(echo ''${config1}'' |base64 -w0)

# echo "Command below on how to decode base64"
# echo ''${base64_private_key}'' |base64 --decode



# Create ASM and load base64 encoded private key, csr and confile file
aws secretsmanager create-secret --name <<name of a secret>> \
  --description "Values for this environments wildcard certifcate in ACM" \
  --secret-string "{\"EncBase64Privatekey\":\"$base64_private_key\",\"EncBase64CSR\":\"$base64_csr\",\"EncBase64Config\":\"$base64_config\"}" \
  --kms-key-id "alias/SecretsMgr" \
  --tags "Key=Environment,Value=Dev"