AWS Secrets Manager Block
Get, list, and create secrets in AWS Secrets Manager
Interact with AWS Secrets Manager to retrieve secret values, list stored secrets, and create new secrets — all authenticated with AWS access key credentials using SigV4 signing. Reach for this block whenever a workflow needs to securely fetch credentials or other sensitive values stored in AWS without embedding them in the workflow configuration itself.
Overview
| Property | Value |
|---|---|
| Type | secrets_manager |
| Category | tools |
| Color | #DD344C |
When to Use
- Retrieve a database password, API key, or other sensitive value stored in AWS Secrets Manager before passing it to a downstream block.
- List all secrets in a region to audit what credentials exist or to let an agent pick a secret by name at runtime.
- Create a new secret programmatically as part of an automated provisioning or onboarding workflow.
- Replace hard-coded credentials in a workflow with dynamic lookups that respect AWS IAM rotation policies.
- Integrate secret retrieval into multi-step AI agent workflows where the agent needs to resolve credentials at execution time rather than at design time.
Configuration
Operation
Type: dropdown | Required: yes (defaults to secrets_manager_get_secret_value)
Selects which AWS Secrets Manager API action to call. Each option controls which additional fields appear.
| Label | ID |
|---|---|
| Get secret value | secrets_manager_get_secret_value |
| List secrets | secrets_manager_list_secrets |
| Create secret | secrets_manager_create_secret |
Secret ID
Type: short-input | Visible when: operation = secrets_manager_get_secret_value
The ARN or name of the secret to retrieve (e.g. arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret or simply my-secret).
Max Results
Type: short-input | Visible when: operation = secrets_manager_list_secrets
Maximum number of secrets to return. Defaults to 20 when left blank. Maps to the AWS MaxResults parameter.
Secret Name
Type: short-input | Visible when: operation = secrets_manager_create_secret
The name to assign to the new secret (e.g. my-secret).
Secret Value
Type: long-input | Visible when: operation = secrets_manager_create_secret
The plaintext or JSON string to store as the secret value.
AWS Region
Type: short-input | Required: yes
The AWS region where the Secrets Manager endpoint lives (e.g. us-east-1). Applies to all operations.
AWS Access Key ID
Type: short-input (password) | Required: yes
The AWS IAM access key ID used to sign requests with SigV4. Store the value in an environment variable and reference it as {{AWS_ACCESS_KEY_ID}}.
AWS Secret Access Key
Type: short-input (password) | Required: yes
The AWS IAM secret access key paired with the Access Key ID. Store the value in an environment variable and reference it as {{AWS_SECRET_ACCESS_KEY}}.
Inputs & Outputs
Inputs:
operation(string) — Operation to perform; one of the three tool IDs listed above.awsRegion(string) — AWS region for the Secrets Manager endpoint.awsAccessKeyId(string) — AWS access key ID for SigV4 authentication.awsSecretAccessKey(string) — AWS secret access key for SigV4 authentication.secretId(string) — Secret ARN or name (used bysecrets_manager_get_secret_value).maxResults(number) — Max number of secrets to return (used bysecrets_manager_list_secrets; default 20).name(string) — New secret name (used bysecrets_manager_create_secret).secretString(string) — New secret value (used bysecrets_manager_create_secret).
Outputs:
data(json) — The raw AWS Secrets Manager API response. Shape depends on the operation:GetSecretValue: includesSecretString,SecretBinary,ARN,Name,VersionId, etc.ListSecrets: includes aSecretListarray with metadata for each secret.CreateSecret: includesARN,Name,VersionIdof the newly created secret.
Tools
-
Secrets Manager Get Secret Value (
secrets_manager_get_secret_value) — Callssecretsmanager.GetSecretValueto retrieve the stored value of a named or ARN-identified secret. Required params:awsRegion,awsAccessKeyId,awsSecretAccessKey,secretId. -
Secrets Manager List Secrets (
secrets_manager_list_secrets) — Callssecretsmanager.ListSecretsto enumerate secrets in the region. Required params:awsRegion,awsAccessKeyId,awsSecretAccessKey. Optional:maxResults(default 20). -
Secrets Manager Create Secret (
secrets_manager_create_secret) — Callssecretsmanager.CreateSecretto store a new secret. Required params:awsRegion,awsAccessKeyId,awsSecretAccessKey,name,secretString.
All three tools sign requests using AWS SigV4 via awsJsonHeaders and POST to https://secretsmanager.<region>.amazonaws.com/.
YAML Example
secrets_manager_1:
type: secrets_manager
name: "AWS Secrets Manager"
inputs:
operation: "secrets_manager_get_secret_value"
secretId: "prod/my-app/db-password"
awsRegion: "us-east-1"
awsAccessKeyId: "{{AWS_ACCESS_KEY_ID}}"
awsSecretAccessKey: "{{AWS_SECRET_ACCESS_KEY}}"
connections:
outgoing:
- target: next-block-id