secret_tags
Expands all tag keys and values for secrets
in a region
Overview
Name | secret_tags |
Type | Resource |
Description | Creates a new secret. A *secret* can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager. For RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html). To retrieve a secret in a CFNshort template, use a *dynamic reference*. For more information, see [Retrieve a secret in an resource](https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html). A common scenario is to first create a secret with GenerateSecretString , which generates a password, and then use a dynamic reference to retrieve the username and password from the secret to use as credentials for a new database. See the example *Creating a Redshift cluster and a secret for the admin credentials*.For information about creating a secret in the console, see [Create a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html). For information about creating a secret using the CLI or SDK, see [CreateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html). For information about retrieving a secret in code, see [Retrieve secrets from Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html). |
Id | aws.secretsmanager.secret_tags |
Fields
Name | Datatype | Description |
---|---|---|
description | string | The description of the secret. |
kms_key_id | string | The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by alias/ , for example alias/aws/secretsmanager . For more information, see [About aliases](https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html).To use a KMS key in a different account, use the key ARN or the alias ARN. If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager . If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.If the secret is in a different AWS account from the credentials calling the API, then you can't use aws/secretsmanager to encrypt the secret, and you must create and use a customer managed KMS key. |
secret_string | string | The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use GenerateSecretString instead. If you omit both GenerateSecretString and SecretString , you create an empty secret. When you make a change to this property, a new secret version is created. |
generate_secret_string | object | A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use SecretString instead. If you omit both GenerateSecretString and SecretString , you create an empty secret. When you make a change to this property, a new secret version is created.We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. |
replica_regions | array | A custom type that specifies a Region and the KmsKeyId for a replica secret. |
id | string | |
name | string | The name of the new secret. The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. |
tag_key | string | Tag key. |
tag_value | string | Tag value. |
region | string | AWS region. |
Methods
Name | Accessible by | Required Params |
---|---|---|
list_resources | SELECT | region |
SELECT
examples
Expands tags for all secrets
in a region.
SELECT
region,
description,
kms_key_id,
secret_string,
generate_secret_string,
replica_regions,
id,
name,
tag_key,
tag_value
FROM aws.secretsmanager.secret_tags
WHERE region = 'us-east-1';
Permissions
For permissions required to operate on the secret_tags
resource, see secrets