How to migrate secrets from my org other org

Today our org has several projects from different clients and we have started a new structure where we will deliver github projects and pipelines to clients and with this we will need to migrate aws account and all other tech.

My question is whether I can use circleCI to migrate specific secrets from my org to another org?

There is no automated way to do this unfortunately

You can use the API to automate the creation of new contexts which store those secrets in environment variables CircleCI API

Yeah, you’d probably have to write a script to do this. Hopefully you’re using contexts as Sebastian mentioned; either way, it shouldn’t be crazy difficult – for example, you could do it with Python and GitHub - alpinweis/pycircleci: Python client for CircleCI API pretty easily, I think.

In a previous role, I wrote a tool that would rotate certain credentials, and sync them to Circle contexts at the same time. In a very general sense, if you have some basic facility in Python, you could do something like the following (note: this is untested and would obviously need some adjustment for your application):

import pycircleci.api
# Obviously, in your situation, you'll need two orgs and, potentially
# to instantiate two different "clients"
VCS_TYPE = "github"  # Or whatever you need

def main():
    # Define get_token() as a func that gets the token from your config and / or
    # an env var, or just use an env var directly there instead.
    client = pycircleci.api.Api(get_token())
    # See and
    # this will just get a list of repos in the current org; you could build some
    # kind of data structure that has your source / destination orgs / repos
    # instead.
    results = client.get_user_repos()
    repos = [
        for result in results
        if result["username"] == ORG_NAME and result["has_followers"]
    for repo_name in repos:
        env_vars = client.list_envvars(username=ORG_NAME, project=repo_name)
        # Do some stuff to push the values to the corresponding repo's env vars
        # using add_envvar(), or, better, copy them to a context in the other org.
        # example of code to write to a context by name:
        # contexts = client.get_contexts(username=ORG_NAME)
        # context_id = next(ctx["id"] for ctx in contexts if ctx["name"] == "wantedcontext")
        # client.add_context_envvar(context_id, key_name, value)

With regard to AWS (and other cloud platforms) specifically, if you are using static secrets like access tokens, I’d strongly recommend switching to OIDC auth at the same time (as described here), if you are not already doing so. Even if you are using static secret tokens, and can’t migrate to OIDC, it would probably be a good opportunity to rotate them when you migrate, if at all possible/