{"id":"1d73d0fd-e392-4ddf-9dff-652fef42986b","shortId":"GnDKQc","kind":"skill","title":"secrets-manager","tagline":"AWS Secrets Manager for secure secret storage and rotation. Use when storing credentials, configuring automatic rotation, managing secret versions, retrieving secrets in applications, or integrating with RDS.","description":"# AWS Secrets Manager\n\nAWS Secrets Manager helps protect access to applications, services, and IT resources. Store, retrieve, and automatically rotate credentials, API keys, and other secrets.\n\n## Table of Contents\n\n- [Core Concepts](#core-concepts)\n- [Common Patterns](#common-patterns)\n- [CLI Reference](#cli-reference)\n- [Best Practices](#best-practices)\n- [Troubleshooting](#troubleshooting)\n- [References](#references)\n\n## Core Concepts\n\n### Secrets\n\nEncrypted data stored in Secrets Manager. Can contain:\n- Database credentials\n- API keys\n- OAuth tokens\n- Any key-value pairs (up to 64 KB)\n\n### Versions\n\nEach secret can have multiple versions:\n- **AWSCURRENT**: Current active version\n- **AWSPENDING**: Version being rotated to\n- **AWSPREVIOUS**: Previous version\n\n### Rotation\n\nAutomatic credential rotation using Lambda functions. Built-in support for:\n- Amazon RDS\n- Amazon Redshift\n- Amazon DocumentDB\n- Custom secrets\n\n## Common Patterns\n\n### Create a Secret\n\n**AWS CLI:**\n\n```bash\n# Create secret with JSON\naws secretsmanager create-secret \\\n  --name prod/myapp/database \\\n  --description \"Production database credentials\" \\\n  --secret-string '{\"username\":\"admin\",\"password\":\"MySecurePassword123!\",\"host\":\"mydb.cluster-xyz.us-east-1.rds.amazonaws.com\",\"port\":5432,\"database\":\"myapp\"}'\n\n# Create secret with binary data\naws secretsmanager create-secret \\\n  --name prod/myapp/certificate \\\n  --secret-binary fileb://certificate.pem\n```\n\n**boto3:**\n\n```python\nimport boto3\nimport json\n\nsecrets = boto3.client('secretsmanager')\n\nresponse = secrets.create_secret(\n    Name='prod/myapp/database',\n    Description='Production database credentials',\n    SecretString=json.dumps({\n        'username': 'admin',\n        'password': 'MySecurePassword123!',\n        'host': 'mydb.cluster-xyz.us-east-1.rds.amazonaws.com',\n        'port': 5432,\n        'database': 'myapp'\n    }),\n    Tags=[\n        {'Key': 'Environment', 'Value': 'production'},\n        {'Key': 'Application', 'Value': 'myapp'}\n    ]\n)\n```\n\n### Retrieve a Secret\n\n```python\nimport boto3\nimport json\n\nsecrets = boto3.client('secretsmanager')\n\ndef get_secret(secret_name):\n    response = secrets.get_secret_value(SecretId=secret_name)\n\n    if 'SecretString' in response:\n        return json.loads(response['SecretString'])\n    else:\n        import base64\n        return base64.b64decode(response['SecretBinary'])\n\n# Usage\ncredentials = get_secret('prod/myapp/database')\ndb_password = credentials['password']\n```\n\n### Caching Secrets\n\n```python\nfrom aws_secretsmanager_caching import SecretCache, SecretCacheConfig\n\n# Configure cache\ncache_config = SecretCacheConfig(\n    max_cache_size=100,\n    secret_refresh_interval=3600,\n    secret_version_stage_refresh_interval=3600\n)\n\ncache = SecretCache(config=cache_config)\n\ndef get_cached_secret(secret_name):\n    secret = cache.get_secret_string(secret_name)\n    return json.loads(secret)\n```\n\n### Update a Secret\n\n```bash\n# Update secret value\naws secretsmanager update-secret \\\n  --secret-id prod/myapp/database \\\n  --secret-string '{\"username\":\"admin\",\"password\":\"NewPassword456!\"}'\n\n# Put new version with staging labels\naws secretsmanager put-secret-value \\\n  --secret-id prod/myapp/database \\\n  --secret-string '{\"username\":\"admin\",\"password\":\"NewPassword456!\"}' \\\n  --version-stages AWSCURRENT\n```\n\n### Enable Rotation for RDS\n\n```bash\naws secretsmanager rotate-secret \\\n  --secret-id prod/myapp/database \\\n  --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:SecretsManagerRDSPostgreSQLRotation \\\n  --rotation-rules AutomaticallyAfterDays=30\n```\n\n### Create Secret with Rotation\n\n```bash\n# Use CloudFormation for RDS secret with rotation\naws cloudformation deploy \\\n  --template-file rds-secret.yaml \\\n  --stack-name rds-secret\n```\n\n```yaml\n# rds-secret.yaml\nAWSTemplateFormatVersion: '2010-09-09'\nResources:\n  DBSecret:\n    Type: AWS::SecretsManager::Secret\n    Properties:\n      Name: prod/myapp/database\n      GenerateSecretString:\n        SecretStringTemplate: '{\"username\": \"admin\"}'\n        GenerateStringKey: password\n        PasswordLength: 32\n        ExcludeCharacters: '\"@/\\'\n\n  DBSecretRotation:\n    Type: AWS::SecretsManager::RotationSchedule\n    Properties:\n      SecretId: !Ref DBSecret\n      RotationLambdaARN: !GetAtt RotationLambda.Arn\n      RotationRules:\n        AutomaticallyAfterDays: 30\n```\n\n### Use in Lambda with Extension\n\n```python\nimport json\nimport urllib.request\n\ndef handler(event, context):\n    # Use AWS Parameters and Secrets Lambda Extension\n    secrets_port = 2773\n    secret_name = 'prod/myapp/database'\n\n    url = f'http://localhost:{secrets_port}/secretsmanager/get?secretId={secret_name}'\n    headers = {'X-Aws-Parameters-Secrets-Token': os.environ['AWS_SESSION_TOKEN']}\n\n    request = urllib.request.Request(url, headers=headers)\n    response = urllib.request.urlopen(request)\n    secret = json.loads(response.read())['SecretString']\n\n    credentials = json.loads(secret)\n    return credentials\n```\n\n## CLI Reference\n\n### Secret Management\n\n| Command | Description |\n|---------|-------------|\n| `aws secretsmanager create-secret` | Create secret |\n| `aws secretsmanager describe-secret` | Get secret metadata |\n| `aws secretsmanager get-secret-value` | Retrieve secret value |\n| `aws secretsmanager update-secret` | Update secret |\n| `aws secretsmanager delete-secret` | Delete secret |\n| `aws secretsmanager restore-secret` | Restore deleted secret |\n| `aws secretsmanager list-secrets` | List secrets |\n\n### Versions\n\n| Command | Description |\n|---------|-------------|\n| `aws secretsmanager put-secret-value` | Add new version |\n| `aws secretsmanager list-secret-version-ids` | List versions |\n| `aws secretsmanager update-secret-version-stage` | Move staging labels |\n\n### Rotation\n\n| Command | Description |\n|---------|-------------|\n| `aws secretsmanager rotate-secret` | Configure/trigger rotation |\n| `aws secretsmanager cancel-rotate-secret` | Cancel rotation |\n\n## Best Practices\n\n### Secret Organization\n\n- **Use hierarchical names**: `environment/application/secret-type`\n- **Tag secrets** for organization and cost allocation\n- **Separate by environment** (dev, staging, prod)\n\n### Security\n\n- **Use resource policies** to control access\n- **Enable encryption** with customer-managed KMS keys\n- **Rotate secrets** regularly (30-90 days)\n- **Audit access** with CloudTrail\n- **Use VPC endpoints** for private access\n\n### Access Control\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"secretsmanager:GetSecretValue\",\n        \"secretsmanager:DescribeSecret\"\n      ],\n      \"Resource\": \"arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/*\",\n      \"Condition\": {\n        \"StringEquals\": {\n          \"secretsmanager:ResourceTag/Environment\": \"production\"\n        }\n      }\n    }\n  ]\n}\n```\n\n### Application Integration\n\n- **Cache secrets** to reduce API calls\n- **Handle rotation** gracefully (retry with new credentials)\n- **Use Lambda extension** for faster access\n- **Never log secrets**\n\n## Troubleshooting\n\n### AccessDeniedException\n\n**Causes:**\n- IAM policy missing `secretsmanager:GetSecretValue`\n- Resource policy denying access\n- KMS key policy missing permissions\n\n**Debug:**\n\n```bash\n# Check secret resource policy\naws secretsmanager get-resource-policy --secret-id my-secret\n\n# Check IAM permissions\naws iam simulate-principal-policy \\\n  --policy-source-arn arn:aws:iam::123456789012:role/my-role \\\n  --action-names secretsmanager:GetSecretValue \\\n  --resource-arns arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret\n```\n\n### Rotation Failed\n\n**Debug:**\n\n```bash\n# Check rotation status\naws secretsmanager describe-secret --secret-id my-secret\n\n# Check Lambda logs\naws logs filter-log-events \\\n  --log-group-name /aws/lambda/SecretsManagerRotation \\\n  --filter-pattern \"ERROR\"\n```\n\n**Common causes:**\n- Lambda timeout (increase to 30+ seconds)\n- Network connectivity (VPC configuration)\n- Database connection issues\n- Wrong secret format\n\n### Secret Not Found\n\n```bash\n# List secrets to find correct name\naws secretsmanager list-secrets \\\n  --filters Key=name,Values=myapp\n\n# Check if deleted (within recovery window)\naws secretsmanager list-secrets \\\n  --include-planned-deletion\n```\n\n## References\n\n- [Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/)\n- [Secrets Manager API Reference](https://docs.aws.amazon.com/secretsmanager/latest/apireference/)\n- [Secrets Manager CLI Reference](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/)\n- [boto3 Secrets Manager](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html)","tags":["secrets","manager","aws","agent","skills","itsmostafa","agent-skills","agentic-ai","claude-code","claude-skills","codex","coding-agents"],"capabilities":["skill","source-itsmostafa","skill-secrets-manager","topic-agent-skills","topic-agentic-ai","topic-aws","topic-claude-code","topic-claude-skills","topic-codex","topic-coding-agents"],"categories":["aws-agent-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/itsmostafa/aws-agent-skills/secrets-manager","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add itsmostafa/aws-agent-skills","source_repo":"https://github.com/itsmostafa/aws-agent-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 1085 github stars · SKILL.md body (8,692 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-03T00:52:59.046Z","embedding":null,"createdAt":"2026-04-18T21:55:46.280Z","updatedAt":"2026-05-03T00:52:59.046Z","lastSeenAt":"2026-05-03T00:52:59.046Z","tsv":"'-09':448,449 '-10':712 '-17':713 '-90':695 '/aws/lambda/secretsmanagerrotation':866 '/cli/latest/reference/secretsmanager/)':945 '/secretsmanager/get':515 '/secretsmanager/latest/apireference/)':938 '/secretsmanager/latest/userguide/)':931 '/v1/documentation/api/latest/reference/services/secretsmanager.html)':951 '1':410,729,829 '100':305 '123456789012':411,730,813,830 '2010':447 '2012':711 '2773':506 '30':418,482,694,877 '32':466 '3600':309,315 '5432':182,228 '64':108 'access':39,682,698,706,707,758,773 'accessdeniedexcept':763 'action':717,816 'action-nam':815 'activ':119 'add':615 'admin':176,222,356,379,462 'alloc':669 'allow':716 'amazon':141,143,145 'api':52,97,744,934 'applic':26,41,237,738 'arn':403,404,723,809,810,822,823 'audit':697 'automat':18,49,130 'automaticallyafterday':417,481 'aw':4,31,34,154,161,190,291,343,365,391,405,431,453,470,498,522,527,553,560,568,577,584,591,599,609,618,627,640,647,724,785,800,811,824,842,856,899,915 'awscurr':117,385 'awspend':121 'awsprevi':126 'awstemplateformatvers':446 'base64':273 'base64.b64decode':275 'bash':156,339,390,423,780,838,892 'best':75,78,655 'best-practic':77 'binari':188,199 'boto3':201,204,245,946 'boto3.amazonaws.com':950 'boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html)':949 'boto3.client':208,249 'built':137 'built-in':136 'cach':287,293,298,299,303,316,319,323,740 'cache.get':328 'call':745 'cancel':650,653 'cancel-rotate-secret':649 'caus':764,872 'certificate.pem':200 'check':781,797,839,853,909 'cli':70,73,155,547,941 'cli-refer':72 'cloudform':425,432 'cloudtrail':700 'command':551,607,638 'common':65,68,149,871 'common-pattern':67 'concept':61,64,85 'condit':733 'config':300,318,320 'configur':17,297,882 'configure/trigger':645 'connect':880,884 'contain':94 'content':59 'context':496 'control':681,708 'core':60,63,84 'core-concept':62 'correct':897 'cost':668 'creat':151,157,164,185,193,419,556,558 'create-secret':163,192,555 'credenti':16,51,96,131,171,218,279,285,542,546,752 'current':118 'custom':147,687 'customer-manag':686 'data':88,189 'databas':95,170,183,217,229,883 'day':696 'db':283 'dbsecret':451,476 'dbsecretrot':468 'debug':779,837 'def':251,321,493 'delet':587,589,597,911,923 'delete-secret':586 'deni':772 'deploy':433 'describ':563,845 'describe-secret':562,844 'describesecret':721 'descript':168,215,552,608,639 'dev':673 'docs.aws.amazon.com':930,937,944 'docs.aws.amazon.com/cli/latest/reference/secretsmanager/)':943 'docs.aws.amazon.com/secretsmanager/latest/apireference/)':936 'docs.aws.amazon.com/secretsmanager/latest/userguide/)':929 'documentdb':146 'east':409,728,828 'effect':715 'els':271 'enabl':386,683 'encrypt':87,684 'endpoint':703 'environ':233,672 'environment/application/secret-type':662 'error':870 'event':495,861 'excludecharact':467 'extens':487,503,755 'f':511 'fail':836 'faster':757 'file':436 'filter':859,868,904 'filter-log-ev':858 'filter-pattern':867 'find':896 'format':888 'found':891 'function':135,412 'generatesecretstr':459 'generatestringkey':463 'get':252,280,322,565,571,788 'get-resource-polici':787 'get-secret-valu':570 'getatt':478 'getsecretvalu':719,769,819 'grace':748 'group':864 'guid':928 'handl':746 'handler':494 'header':519,533,534 'help':37 'hierarch':660 'host':179,225 'iam':765,798,801,812 'id':350,373,398,624,793,849 'import':203,205,244,246,272,294,489,491 'includ':921 'include-planned-delet':920 'increas':875 'integr':28,739 'interv':308,314 'issu':885 'json':160,206,247,490,709 'json.dumps':220 'json.loads':268,334,539,543 'kb':109 'key':53,98,103,232,236,690,775,905 'key-valu':102 'kms':689,774 'label':364,636 'lambda':134,402,406,485,502,754,854,873 'list':602,604,621,625,893,902,918 'list-secret':601,901,917 'list-secret-version-id':620 'localhost':512 'log':760,855,857,860,863 'log-group-nam':862 'manag':3,6,20,33,36,92,550,688,926,933,940,948 'max':302 'metadata':567 'miss':767,777 'move':634 'multipl':115 'my-secret':794,832,850 'myapp':184,230,239,908 'mydb.cluster-xyz.us-east-1.rds.amazonaws.com':180,226 'mysecurepassword123':178,224 'name':166,195,213,255,262,326,332,440,457,508,518,661,817,865,898,906 'network':879 'never':759 'new':360,616,751 'newpassword456':358,381 'oauth':99 'organ':658,666 'os.environ':526 'pair':105 'paramet':499,523 'password':177,223,284,286,357,380,464 'passwordlength':465 'pattern':66,69,150,869 'permiss':778,799 'plan':922 'polici':679,766,771,776,784,790,805,807 'policy-source-arn':806 'port':181,227,505,514 'practic':76,79,656 'previous':127 'princip':804 'privat':705 'prod':675,732 'prod/myapp/certificate':196 'prod/myapp/database':167,214,282,351,374,399,458,509 'product':169,216,235,737 'properti':456,473 'protect':38 'put':359,368,612 'put-secret-valu':367,611 'python':202,243,289,488 'rds':30,142,389,427,442 'rds-secret':441 'rds-secret.yaml':437,445 'recoveri':913 'redshift':144 'reduc':743 'ref':475 'refer':71,74,82,83,548,924,935,942 'refresh':307,313 'regular':693 'request':530,537 'resourc':45,450,678,722,770,783,789,821 'resource-arn':820 'resourcetag/environment':736 'respons':210,256,266,269,276,535 'response.read':540 'restor':594,596 'restore-secret':593 'retri':749 'retriev':23,47,240,574 'return':267,274,333,545 'role/my-role':814 'rotat':12,19,50,124,129,132,387,394,401,415,422,430,637,643,646,651,654,691,747,835,840 'rotate-secret':393,642 'rotation-lambda-arn':400 'rotation-rul':414 'rotationlambda.arn':479 'rotationlambdaarn':477 'rotationrul':480 'rotationschedul':472 'rule':416 'second':878 'secret':2,5,9,21,24,32,35,56,86,91,112,148,153,158,165,173,186,194,198,207,212,242,248,253,254,258,261,281,288,306,310,324,325,327,329,331,335,338,341,347,349,353,369,372,376,395,397,420,428,443,455,501,504,507,513,517,524,538,544,549,557,559,564,566,572,575,581,583,588,590,595,598,603,605,613,622,631,644,652,657,664,692,731,741,761,782,792,796,831,834,846,848,852,887,889,894,903,919,925,932,939,947 'secret-binari':197 'secret-id':348,371,396,791,847 'secret-str':172,352,375 'secretbinari':277 'secretcach':295,317 'secretcacheconfig':296,301 'secretid':260,474,516 'secrets-manag':1 'secrets.create':211 'secrets.get':257 'secretsmanag':162,191,209,250,292,344,366,392,454,471,554,561,569,578,585,592,600,610,619,628,641,648,718,720,725,735,768,786,818,825,843,900,916 'secretsmanagerrdspostgresqlrot':413 'secretstr':219,264,270,541 'secretstringtempl':460 'secur':8,676 'separ':670 'servic':42 'session':528 'simul':803 'simulate-principal-polici':802 'size':304 'skill' 'skill-secrets-manager' 'sourc':808 'source-itsmostafa' 'stack':439 'stack-nam':438 'stage':312,363,384,633,635,674 'statement':714 'status':841 'storag':10 'store':15,46,89 'string':174,330,354,377 'stringequ':734 'support':139 'tabl':57 'tag':231,663 'templat':435 'template-fil':434 'timeout':874 'token':100,525,529 'topic-agent-skills' 'topic-agentic-ai' 'topic-aws' 'topic-claude-code' 'topic-claude-skills' 'topic-codex' 'topic-coding-agents' 'troubleshoot':80,81,762 'type':452,469 'updat':336,340,346,580,582,630 'update-secret':345,579 'update-secret-version-stag':629 'url':510,532 'urllib.request':492 'urllib.request.request':531 'urllib.request.urlopen':536 'us':408,727,827 'us-east':407,726,826 'usag':278 'use':13,133,424,483,497,659,677,701,753 'user':927 'usernam':175,221,355,378,461 'valu':104,234,238,259,342,370,573,576,614,907 'version':22,110,116,120,122,128,311,361,383,606,617,623,626,632,710 'version-stag':382 'vpc':702,881 'window':914 'within':912 'wrong':886 'x':521 'x-aws-parameters-secrets-token':520 'yaml':444","prices":[{"id":"e2d4d249-2936-4027-bbe4-0fd25674a47d","listingId":"1d73d0fd-e392-4ddf-9dff-652fef42986b","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"itsmostafa","category":"aws-agent-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:55:46.280Z"}],"sources":[{"listingId":"1d73d0fd-e392-4ddf-9dff-652fef42986b","source":"github","sourceId":"itsmostafa/aws-agent-skills/secrets-manager","sourceUrl":"https://github.com/itsmostafa/aws-agent-skills/tree/main/skills/secrets-manager","isPrimary":false,"firstSeenAt":"2026-04-18T21:55:46.280Z","lastSeenAt":"2026-05-03T00:52:59.046Z"}],"details":{"listingId":"1d73d0fd-e392-4ddf-9dff-652fef42986b","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"itsmostafa","slug":"secrets-manager","github":{"repo":"itsmostafa/aws-agent-skills","stars":1085,"topics":["agent-skills","agentic-ai","aws","claude-code","claude-skills","codex","coding-agents"],"license":"mit","html_url":"https://github.com/itsmostafa/aws-agent-skills","pushed_at":"2026-04-27T09:45:24Z","description":"AWS Skills for Agents","skill_md_sha":"3805560dfe02a546cf4b25608196fde5bdf596fa","skill_md_path":"skills/secrets-manager/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/itsmostafa/aws-agent-skills/tree/main/skills/secrets-manager"},"layout":"multi","source":"github","category":"aws-agent-skills","frontmatter":{"name":"secrets-manager","description":"AWS Secrets Manager for secure secret storage and rotation. Use when storing credentials, configuring automatic rotation, managing secret versions, retrieving secrets in applications, or integrating with RDS."},"skills_sh_url":"https://skills.sh/itsmostafa/aws-agent-skills/secrets-manager"},"updatedAt":"2026-05-03T00:52:59.046Z"}}