New260+ blocks and 240+ tools are now fully documented
DocumentationReferenceTool IntegrationsSecurity & Identity
Tool

AWS Secrets Manager Tools

Get, list, and create secrets in AWS Secrets Manager.

The AWS Secrets Manager provider lets a workflow retrieve secret values, list stored secrets, and create new secrets in AWS Secrets Manager. Use these tools when a workflow needs to pull credentials, API keys, or other sensitive values at runtime, or to provision new secrets as part of an automation.

Overview

PropertyValue
Providersecrets-manager
Categorytools
AuthAWS SigV4 (AWS access key ID + secret access key)

Operations

OperationTool IDDescription
Get secret valuesecrets_manager_get_secret_valueRetrieve the value of a secret from AWS Secrets Manager.
List secretssecrets_manager_list_secretsList the secrets stored in AWS Secrets Manager.
Create secretsecrets_manager_create_secretCreate a new secret in AWS Secrets Manager.

All three operations call the AWS Secrets Manager JSON API at https://secretsmanager.{awsRegion}.amazonaws.com/ over HTTP POST, signed with AWS Signature Version 4 (the X-Amz-Target header selects the specific action: secretsmanager.GetSecretValue, secretsmanager.ListSecrets, or secretsmanager.CreateSecret).

Configuration

Every operation requires the three AWS credential parameters below. They are user-only (supplied by the workflow author, never by the LLM) and the access keys are treated as secrets.

ParameterTypeRequiredDescription
awsRegionstringYesAWS region (e.g. us-east-1). Selects the regional Secrets Manager endpoint.
awsAccessKeyIdstringYesAWS access key ID. Secret — provide via an environment variable.
awsSecretAccessKeystringYesAWS secret access key. Secret — provide via an environment variable.

secrets_manager_get_secret_value

ParameterTypeRequiredDescription
awsRegionstringYesAWS region (e.g. us-east-1).
awsAccessKeyIdstringYesAWS access key ID. Secret.
awsSecretAccessKeystringYesAWS secret access key. Secret.
secretIdstringYesThe ARN or name of the secret to retrieve.

secrets_manager_list_secrets

ParameterTypeRequiredDescription
awsRegionstringYesAWS region (e.g. us-east-1).
awsAccessKeyIdstringYesAWS access key ID. Secret.
awsSecretAccessKeystringYesAWS secret access key. Secret.
maxResultsnumberNoMaximum number of secrets to return (default 20).

secrets_manager_create_secret

ParameterTypeRequiredDescription
awsRegionstringYesAWS region (e.g. us-east-1).
awsAccessKeyIdstringYesAWS access key ID. Secret.
awsSecretAccessKeystringYesAWS secret access key. Secret.
namestringYesThe name of the new secret.
secretStringstringYesThe secret value to store. Sensitive.

Outputs

All three tools return a single data field containing the raw AWS Secrets Manager API response for the action.

secrets_manager_get_secret_value

  • data (json) — Secrets Manager GetSecretValue result (includes SecretString, ARN, Name, VersionId, and related fields).

secrets_manager_list_secrets

  • data (json) — Secrets Manager ListSecrets result (includes the SecretList array and an optional NextToken).

secrets_manager_create_secret

  • data (json) — Secrets Manager CreateSecret result (includes ARN, Name, and VersionId).

YAML Example

secrets_manager_1:
  type: secrets_manager
  name: "AWS Secrets Manager"
  inputs:
    operation: "secrets_manager_get_secret_value"
    secretId: "prod/myapp/db-credentials"
    awsRegion: "us-east-1"
    awsAccessKeyId: "{{AWS_ACCESS_KEY_ID}}"
    awsSecretAccessKey: "{{AWS_SECRET_ACCESS_KEY}}"
  connections:
    outgoing:
      - target: next-block-id

Tips

  • Auth is AWS SigV4, not a single API key. You must supply awsAccessKeyId, awsSecretAccessKey, and a matching awsRegion. Store the keys as environment variables (e.g. {{AWS_ACCESS_KEY_ID}}) rather than hardcoding them, and grant the IAM principal only the secretsmanager:GetSecretValue, secretsmanager:ListSecrets, and secretsmanager:CreateSecret permissions it needs.
  • secretId accepts either the secret's full ARN or its plain name; pass downstream values with double-brace references like {{secrets_manager_1.data.SecretString}}.
  • The retrieved value lives under data.SecretString (a JSON string for key/value secrets, or raw text otherwise). For list_secrets, tune maxResults to control page size — it defaults to 20 and the response may include a NextToken for pagination.