AWS Secrets Manager
Connect to AWS Secrets Manager
AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. It enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
With AWS Secrets Manager, you can:
- Securely store secrets: Encrypt secrets at rest using AWS KMS encryption keys
- Retrieve secrets programmatically: Access secrets from your applications and workflows without hardcoding credentials
- Rotate secrets automatically: Configure automatic rotation for supported services like RDS, Redshift, and DocumentDB
- Audit access: Track secret access and changes through AWS CloudTrail integration
- Control access with IAM: Use fine-grained IAM policies to manage who can access which secrets
- Replicate across regions: Automatically replicate secrets to multiple AWS regions for disaster recovery
In Sim, the AWS Secrets Manager integration allows your workflows to securely retrieve credentials and configuration values at runtime, create and manage secrets as part of automation pipelines, and maintain a centralized secrets store that your agents can access. This is particularly useful for workflows that need to authenticate with external services, rotate credentials, or manage sensitive configuration across environments — all without exposing secrets in your workflow definitions.
Usage Instructions
Integrate AWS Secrets Manager into the workflow. Can retrieve, create, update, list, and delete secrets.
Tools
secrets_manager_get_secret
Retrieve a secret value from AWS Secrets Manager
Input
| Parameter | Type | Required | Description |
|---|---|---|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
secretId | string | Yes | The name or ARN of the secret to retrieve |
versionId | string | No | The unique identifier of the version to retrieve |
versionStage | string | No | The staging label of the version to retrieve (e.g., AWSCURRENT, AWSPREVIOUS) |
Output
| Parameter | Type | Description |
|---|---|---|
name | string | Name of the secret |
secretValue | string | The decrypted secret value |
arn | string | ARN of the secret |
versionId | string | Version ID of the secret |
versionStages | array | Staging labels attached to this version |
createdDate | string | Date the secret was created |
secrets_manager_list_secrets
List secrets stored in AWS Secrets Manager
Input
| Parameter | Type | Required | Description |
|---|---|---|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
maxResults | number | No | Maximum number of secrets to return (1-100, default 100) |
nextToken | string | No | Pagination token from a previous request |
Output
| Parameter | Type | Description |
|---|---|---|
secrets | json | List of secrets with name, ARN, description, and dates |
nextToken | string | Pagination token for the next page of results |
count | number | Number of secrets returned |
secrets_manager_create_secret
Create a new secret in AWS Secrets Manager
Input
| Parameter | Type | Required | Description |
|---|---|---|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
name | string | Yes | Name of the secret to create |
secretValue | string | Yes | The secret value (plain text or JSON string) |
description | string | No | Description of the secret |
Output
| Parameter | Type | Description |
|---|---|---|
message | string | Operation status message |
name | string | Name of the created secret |
arn | string | ARN of the created secret |
versionId | string | Version ID of the created secret |
secrets_manager_update_secret
Update the value of an existing secret in AWS Secrets Manager
Input
| Parameter | Type | Required | Description |
|---|---|---|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
secretId | string | Yes | The name or ARN of the secret to update |
secretValue | string | Yes | The new secret value (plain text or JSON string) |
description | string | No | Updated description of the secret |
Output
| Parameter | Type | Description |
|---|---|---|
message | string | Operation status message |
name | string | Name of the updated secret |
arn | string | ARN of the updated secret |
versionId | string | Version ID of the updated secret |
secrets_manager_delete_secret
Delete a secret from AWS Secrets Manager
Input
| Parameter | Type | Required | Description |
|---|---|---|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
secretId | string | Yes | The name or ARN of the secret to delete |
recoveryWindowInDays | number | No | Number of days before permanent deletion (7-30, default 30) |
forceDelete | boolean | No | If true, immediately delete without recovery window |
Output
| Parameter | Type | Description |
|---|---|---|
message | string | Operation status message |
name | string | Name of the deleted secret |
arn | string | ARN of the deleted secret |
deletionDate | string | Scheduled deletion date |