Skip to main content

secret_tags

Expands all tag keys and values for secrets in a region

Overview

Namesecret_tags
TypeResource
DescriptionCreates a new secret. A *secret* can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager.
For RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html).
To retrieve a secret in a CFNshort template, use a *dynamic reference*. For more information, see [Retrieve a secret in an resource](https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html).
A common scenario is to first create a secret with GenerateSecretString, which generates a password, and then use a dynamic reference to retrieve the username and password from the secret to use as credentials for a new database. See the example *Creating a Redshift cluster and a secret for the admin credentials*.
For information about creating a secret in the console, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html). For information about creating a secret using the CLI or SDK, see [CreateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html).
For information about retrieving a secret in code, see [Retrieve secrets from Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html).
Idaws.secretsmanager.secret_tags

Fields

NameDatatypeDescription
descriptionstringThe description of the secret.
kms_key_idstringThe ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by alias/, for example alias/aws/secretsmanager. For more information, see [About aliases](https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html).
To use a KMS key in a different account, use the key ARN or the alias ARN.
If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
If the secret is in a different AWS account from the credentials calling the API, then you can't use aws/secretsmanager to encrypt the secret, and you must create and use a customer managed KMS key.
secret_stringstringThe text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use GenerateSecretString instead. If you omit both GenerateSecretString and SecretString, you create an empty secret. When you make a change to this property, a new secret version is created.
generate_secret_stringobjectA structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use SecretString instead. If you omit both GenerateSecretString and SecretString, you create an empty secret. When you make a change to this property, a new secret version is created.
We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
replica_regionsarrayA custom type that specifies a Region and the KmsKeyId for a replica secret.
idstring
namestringThe name of the new secret.
The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@-
Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.
tag_keystringTag key.
tag_valuestringTag value.
regionstringAWS region.

Methods

NameAccessible byRequired Params
list_resourcesSELECTregion

SELECT examples

Expands tags for all secrets in a region.

SELECT
region,
description,
kms_key_id,
secret_string,
generate_secret_string,
replica_regions,
id,
name,
tag_key,
tag_value
FROM aws.secretsmanager.secret_tags
WHERE region = 'us-east-1';

Permissions

For permissions required to operate on the secret_tags resource, see secrets