New260+ blocks and 240+ tools are now fully documented
DocumentationReferenceCore BlocksSecurity & Identity
Block

AWS Secrets Manager Block

Get, list, and create secrets in AWS Secrets Manager

Interact with AWS Secrets Manager to retrieve secret values, list stored secrets, and create new secrets — all authenticated with AWS access key credentials using SigV4 signing. Reach for this block whenever a workflow needs to securely fetch credentials or other sensitive values stored in AWS without embedding them in the workflow configuration itself.

Overview

PropertyValue
Typesecrets_manager
Categorytools
Color#DD344C

When to Use

  • Retrieve a database password, API key, or other sensitive value stored in AWS Secrets Manager before passing it to a downstream block.
  • List all secrets in a region to audit what credentials exist or to let an agent pick a secret by name at runtime.
  • Create a new secret programmatically as part of an automated provisioning or onboarding workflow.
  • Replace hard-coded credentials in a workflow with dynamic lookups that respect AWS IAM rotation policies.
  • Integrate secret retrieval into multi-step AI agent workflows where the agent needs to resolve credentials at execution time rather than at design time.

Configuration

Operation

Type: dropdown | Required: yes (defaults to secrets_manager_get_secret_value)

Selects which AWS Secrets Manager API action to call. Each option controls which additional fields appear.

LabelID
Get secret valuesecrets_manager_get_secret_value
List secretssecrets_manager_list_secrets
Create secretsecrets_manager_create_secret

Secret ID

Type: short-input | Visible when: operation = secrets_manager_get_secret_value

The ARN or name of the secret to retrieve (e.g. arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret or simply my-secret).

Max Results

Type: short-input | Visible when: operation = secrets_manager_list_secrets

Maximum number of secrets to return. Defaults to 20 when left blank. Maps to the AWS MaxResults parameter.

Secret Name

Type: short-input | Visible when: operation = secrets_manager_create_secret

The name to assign to the new secret (e.g. my-secret).

Secret Value

Type: long-input | Visible when: operation = secrets_manager_create_secret

The plaintext or JSON string to store as the secret value.

AWS Region

Type: short-input | Required: yes

The AWS region where the Secrets Manager endpoint lives (e.g. us-east-1). Applies to all operations.

AWS Access Key ID

Type: short-input (password) | Required: yes

The AWS IAM access key ID used to sign requests with SigV4. Store the value in an environment variable and reference it as {{AWS_ACCESS_KEY_ID}}.

AWS Secret Access Key

Type: short-input (password) | Required: yes

The AWS IAM secret access key paired with the Access Key ID. Store the value in an environment variable and reference it as {{AWS_SECRET_ACCESS_KEY}}.

Inputs & Outputs

Inputs:

  • operation (string) — Operation to perform; one of the three tool IDs listed above.
  • awsRegion (string) — AWS region for the Secrets Manager endpoint.
  • awsAccessKeyId (string) — AWS access key ID for SigV4 authentication.
  • awsSecretAccessKey (string) — AWS secret access key for SigV4 authentication.
  • secretId (string) — Secret ARN or name (used by secrets_manager_get_secret_value).
  • maxResults (number) — Max number of secrets to return (used by secrets_manager_list_secrets; default 20).
  • name (string) — New secret name (used by secrets_manager_create_secret).
  • secretString (string) — New secret value (used by secrets_manager_create_secret).

Outputs:

  • data (json) — The raw AWS Secrets Manager API response. Shape depends on the operation:
    • GetSecretValue: includes SecretString, SecretBinary, ARN, Name, VersionId, etc.
    • ListSecrets: includes a SecretList array with metadata for each secret.
    • CreateSecret: includes ARN, Name, VersionId of the newly created secret.

Tools

  • Secrets Manager Get Secret Value (secrets_manager_get_secret_value) — Calls secretsmanager.GetSecretValue to retrieve the stored value of a named or ARN-identified secret. Required params: awsRegion, awsAccessKeyId, awsSecretAccessKey, secretId.

  • Secrets Manager List Secrets (secrets_manager_list_secrets) — Calls secretsmanager.ListSecrets to enumerate secrets in the region. Required params: awsRegion, awsAccessKeyId, awsSecretAccessKey. Optional: maxResults (default 20).

  • Secrets Manager Create Secret (secrets_manager_create_secret) — Calls secretsmanager.CreateSecret to store a new secret. Required params: awsRegion, awsAccessKeyId, awsSecretAccessKey, name, secretString.

All three tools sign requests using AWS SigV4 via awsJsonHeaders and POST to https://secretsmanager.<region>.amazonaws.com/.

YAML Example

secrets_manager_1:
  type: secrets_manager
  name: "AWS Secrets Manager"
  inputs:
    operation: "secrets_manager_get_secret_value"
    secretId: "prod/my-app/db-password"
    awsRegion: "us-east-1"
    awsAccessKeyId: "{{AWS_ACCESS_KEY_ID}}"
    awsSecretAccessKey: "{{AWS_SECRET_ACCESS_KEY}}"
  connections:
    outgoing:
      - target: next-block-id