AWS Secrets Manager Tools
Get, list, and create secrets in AWS Secrets Manager.
The AWS Secrets Manager provider lets a workflow retrieve secret values, list stored secrets, and create new secrets in AWS Secrets Manager. Use these tools when a workflow needs to pull credentials, API keys, or other sensitive values at runtime, or to provision new secrets as part of an automation.
Overview
| Property | Value |
|---|---|
| Provider | secrets-manager |
| Category | tools |
| Auth | AWS SigV4 (AWS access key ID + secret access key) |
Operations
| Operation | Tool ID | Description |
|---|---|---|
| Get secret value | secrets_manager_get_secret_value | Retrieve the value of a secret from AWS Secrets Manager. |
| List secrets | secrets_manager_list_secrets | List the secrets stored in AWS Secrets Manager. |
| Create secret | secrets_manager_create_secret | Create a new secret in AWS Secrets Manager. |
All three operations call the AWS Secrets Manager JSON API at https://secretsmanager.{awsRegion}.amazonaws.com/ over HTTP POST, signed with AWS Signature Version 4 (the X-Amz-Target header selects the specific action: secretsmanager.GetSecretValue, secretsmanager.ListSecrets, or secretsmanager.CreateSecret).
Configuration
Every operation requires the three AWS credential parameters below. They are user-only (supplied by the workflow author, never by the LLM) and the access keys are treated as secrets.
| Parameter | Type | Required | Description |
|---|---|---|---|
awsRegion | string | Yes | AWS region (e.g. us-east-1). Selects the regional Secrets Manager endpoint. |
awsAccessKeyId | string | Yes | AWS access key ID. Secret — provide via an environment variable. |
awsSecretAccessKey | string | Yes | AWS secret access key. Secret — provide via an environment variable. |
secrets_manager_get_secret_value
| Parameter | Type | Required | Description |
|---|---|---|---|
awsRegion | string | Yes | AWS region (e.g. us-east-1). |
awsAccessKeyId | string | Yes | AWS access key ID. Secret. |
awsSecretAccessKey | string | Yes | AWS secret access key. Secret. |
secretId | string | Yes | The ARN or name of the secret to retrieve. |
secrets_manager_list_secrets
| Parameter | Type | Required | Description |
|---|---|---|---|
awsRegion | string | Yes | AWS region (e.g. us-east-1). |
awsAccessKeyId | string | Yes | AWS access key ID. Secret. |
awsSecretAccessKey | string | Yes | AWS secret access key. Secret. |
maxResults | number | No | Maximum number of secrets to return (default 20). |
secrets_manager_create_secret
| Parameter | Type | Required | Description |
|---|---|---|---|
awsRegion | string | Yes | AWS region (e.g. us-east-1). |
awsAccessKeyId | string | Yes | AWS access key ID. Secret. |
awsSecretAccessKey | string | Yes | AWS secret access key. Secret. |
name | string | Yes | The name of the new secret. |
secretString | string | Yes | The secret value to store. Sensitive. |
Outputs
All three tools return a single data field containing the raw AWS Secrets Manager API response for the action.
secrets_manager_get_secret_value
data(json) — Secrets ManagerGetSecretValueresult (includesSecretString,ARN,Name,VersionId, and related fields).
secrets_manager_list_secrets
data(json) — Secrets ManagerListSecretsresult (includes theSecretListarray and an optionalNextToken).
secrets_manager_create_secret
data(json) — Secrets ManagerCreateSecretresult (includesARN,Name, andVersionId).
YAML Example
secrets_manager_1:
type: secrets_manager
name: "AWS Secrets Manager"
inputs:
operation: "secrets_manager_get_secret_value"
secretId: "prod/myapp/db-credentials"
awsRegion: "us-east-1"
awsAccessKeyId: "{{AWS_ACCESS_KEY_ID}}"
awsSecretAccessKey: "{{AWS_SECRET_ACCESS_KEY}}"
connections:
outgoing:
- target: next-block-idTips
- Auth is AWS SigV4, not a single API key. You must supply
awsAccessKeyId,awsSecretAccessKey, and a matchingawsRegion. Store the keys as environment variables (e.g.{{AWS_ACCESS_KEY_ID}}) rather than hardcoding them, and grant the IAM principal only thesecretsmanager:GetSecretValue,secretsmanager:ListSecrets, andsecretsmanager:CreateSecretpermissions it needs. secretIdaccepts either the secret's full ARN or its plain name; pass downstream values with double-brace references like{{secrets_manager_1.data.SecretString}}.- The retrieved value lives under
data.SecretString(a JSON string for key/value secrets, or raw text otherwise). Forlist_secrets, tunemaxResultsto control page size — it defaults to20and the response may include aNextTokenfor pagination.