Amazon AWS Secrets Manager

the amazon aws secrets manager connector facilitates secure management and retrieval of secrets for automated processes within the swimlane turbine platform aws secrets manager is a secure vault service that centralizes the storage, management, and rotation of secrets such as database credentials and api keys this connector enables swimlane turbine users to automate the lifecycle of secrets, from creation and retrieval to rotation and deletion, directly within their security workflows by integrating with aws secrets manager, users can enhance their security posture by programmatically managing secrets, reducing the risk of exposure, and ensuring compliance with security policies the connector's actions are designed to streamline secret operations, making it easier for security teams to maintain a robust and secure environment asset setup this integration authenticates with aws secrets manager using the following input values prerequisites to utilize the amazon aws secrets manager connector with swimlane turbine, ensure you have the following aws secrets manager authentication credentials access key your aws iam user's access key id secret key your aws iam user's secret access key region name the aws region where your secrets manager is hosted obtaining aws credentials to use this integration, you will need to have an aws account and obtain the necessary aws credentials you can obtain these credentials by following the steps below log in to your aws account and navigate to the iam console in the left navigation pane, click on the "users" tab and select the user for which you want to create credentials click on the "security credentials" tab, and then click on "create access key" make sure to save the access key id and secret access key in a secure location, as you will not be able to see the secret access key again after this step if you want to use an aws iam role to access the secrets manager, you will need to have the arn of the role and an optional external id, if one was specified by the aws account administrator permissions open the iam management console navigate to the user or role that requires the permission click on the permissions tab and then click on the add permissions button at the right side top corner of the permissions block click on attach policies and search for secretsmanagerreadwrite permissions policies select the box of secretsmanagerreadwrite and then click on the add permissions button at the right side bottom corner capabilities the aws secrets manager connector provides the following capabilities create secret delete secret get secret value list secrets put secret value tag resource notes https //docs aws amazon com/general/latest/gr/managing aws access keys html https //boto3 amazonaws com/v1/documentation/api/latest/reference/services/secretsmanager html configurations aws secrets manager auth authenticates using aws credentials configuration parameters parameter description type required access key aws access key string required secret key aws secret key string required region name the aws region where you want to create new connections string required role arn optional role arn to assume leave blank unless tasks need to assume a different role string optional external id external id to assume iam role optional value used for assuming roles can be added, or removed in trusted relationships of target role string optional session token use if a session token is provided when switching roles string optional role session name defaults to sessionfromswimlane \<hash> when no value is provide string optional actions create secret creates a new encrypted secret in amazon aws secrets manager, such as passwords or credentials, for secure storage and management endpoint method post input argument name type required description name string required the name of the new secret the secret name can contain ascii letters, numbers, and the following characters are / += \@ clientrequesttoken string optional if you include secretstring or secretbinary, then secrets manager creates an initial version for the secret, and this parameter specifies the unique identifier for the new version description string optional the description of the secret kmskeyid string optional the arn, key id, or alias of the kms key that secrets manager uses to encrypt the secret value in the secret secretbinary string optional the binary data to encrypt and store in the new version of the secret secretstring string optional the text data to encrypt and store in this new version of the secret tags array optional a list of tags to attach to the secret tags key string optional the key identifier, or name, of the tag tags value string optional the string value associated with the key of the tag addreplicaregions array optional a list of regions and kms keys to replicate secrets addreplicaregions region string optional a region code addreplicaregions kmskeyid string optional the arn, key id, or alias of the kms key to encrypt the secret forceoverwritereplicasecret boolean optional specifies whether to overwrite a secret with the same name in the destination region input example {"name" "mytestdatabasesecret","clientrequesttoken" "example1 90ab cdef fedc ba987secret1","description" "my test database secret created with the cli","kmskeyid" "test12312321","secretbinary" "secret binary","secretstring" "{'username' 'david','password' 'example password'}","tags" \[{"key" "costcenter","value" "12345"},{"key" "environment","value" "production"}],"addreplicaregions" \[{"region" "us east 1","kmskeyid" "test123123214"}],"forceoverwritereplicasecret"\ true} output parameter type description arn string output field arn name string name of the resource versionid string unique identifier responsemetadata object response data responsemetadata requestid string response data responsemetadata httpstatuscode number response data responsemetadata httpheaders object response data responsemetadata httpheaders x amzn requestid string response data responsemetadata httpheaders content type string response data responsemetadata httpheaders content length string response data responsemetadata httpheaders date string response data responsemetadata retryattempts number response data output example {"arn" "arn\ aws\ secretsmanager\ ap south 1 471112629208\ secret\ mytestdatabasesecret phecb ","name" "mytestdatabasesecret","versionid" "example1 90ab cdef fedc ba987secret1","responsemetadata" {"requestid" "8ae3bea3 0a90 46a7 9883 1b2a0ef23413","httpstatuscode" 200,"httpheaders" {"x amzn requestid" "8ae3bea3 0a90 46a7 9883 1b2a0ef23413","content type" "application/x amz json 1 1","content length" "172","date" "fri, 26 jul 2024 \n 15 51 17 gmt"},"retryattempts" 0}} delete secret permanently deletes a secret and its versions in amazon aws secrets manager with an optional recovery window endpoint method delete input argument name type required description secretid string required the arn or name of the secret to delete recoverywindowindays number optional the number of days from 7 to 30 that secrets manager waits before permanently deleting the secret you can't use both this parameter and forcedeletewithoutrecovery in the same call forcedeletewithoutrecovery boolean optional specifies whether to delete the secret without any recovery window input example {"secretid" "mytestdatabasesecret","recoverywindowindays" 7,"forcedeletewithoutrecovery"\ true} output parameter type description arn string output field arn name string name of the resource deletiondate string date value responsemetadata object response data responsemetadata requestid string response data responsemetadata httpstatuscode number response data responsemetadata httpheaders object response data responsemetadata httpheaders x amzn requestid string response data responsemetadata httpheaders content type string response data responsemetadata httpheaders content length string response data responsemetadata httpheaders date string response data responsemetadata retryattempts number response data output example {"arn" "arn\ aws\ secretsmanager\ ap south 1 471112629208\ secret\ mytestdatabasesecret phecb ","name" "mytestdatabasesecret","deletiondate" "2024 08 28 05 50 04","responsemetadata" {"requestid" "bd225cc4 7333 4934 ba87 17f800c06e7a","httpstatuscode" 200,"httpheaders" {"x amzn requestid" "bd225cc4 7333 4934 ba87 17f800c06e7a","content type" "application/x amz json 1 1","content length" "153","date" "mon, 29 jul 2024 05 50 04 gmt"},"retryattempts" 0}} get secret value retrieves encrypted content from amazon aws secrets manager using the specified secret's version identifier endpoint method get input argument name type required description secretid string required the arn or name of the secret to retrieve to retrieve a secret from another account, you must use an arn versionid string optional the unique identifier of the version of the secret to retrieve if you include both this parameter and versionstage, the two parameters must refer to the same secret version if you don't specify either a versionstage or versionid, then secrets manager returns the awscurrent version this value is typically a uuid type value with 32 hexadecimal digits versionstage string optional the staging label of the version of the secret to retrieve input example {"secretid" "mytestdatabasesecret","versionid" "6138ae16 59cf 4b73 8eba 987a36b67903","versionstage" "awscurrent"} output parameter type description arn string output field arn name string name of the resource versionid string unique identifier secretstring string output field secretstring versionstages array output field versionstages createddate string date value responsemetadata object response data responsemetadata requestid string response data responsemetadata httpstatuscode number response data responsemetadata httpheaders object response data responsemetadata httpheaders x amzn requestid string response data responsemetadata httpheaders content type string response data responsemetadata httpheaders content length string response data responsemetadata httpheaders date string response data responsemetadata retryattempts number response data output example {"arn" "arn\ aws\ secretsmanager\ ap south 1 471112629208\ secret\ mytestdatabasesecret phecb ","name" "mytestdatabasesecret","versionid" "6138ae16 59cf 4b73 8eba 987a36b67903","secretstring" "{'username' 'david','password' 'example password1'}","versionstages" \["awscurrent"],"createddate" "2024 07 26 16 09 21","responsemetadata" {"requestid" "7a2f8185 101e 4912 9f9a 9c5f760d0a67","httpstatuscode" 200,"httpheaders" {"x amzn requestid" "7a2f8185 101e 4912 9f9a 9c5f760d0a67","content type" "applicati list secrets retrieves a list of secrets stored in the amazon aws secrets manager, excluding those marked for deletion endpoint method get input argument name type required description includeplanneddeletion boolean optional specifies whether to include secrets scheduled for deletion maxresults number optional the number of results to include in the response nexttoken string optional a token that indicates where the output should continue from, if a previous call did not show all results filters array optional the filters to apply to the list of secrets filters key string optional key used to filter filters values array optional the keyword to filter for you can prefix your search value with an exclamation mark ( !) in order to perform negation filters sortorder string optional secrets are listed by createddate input example {"includeplanneddeletion"\ false,"maxresults" 10,"nexttoken" "ewrwe2435213edf12345","filters" \[{"key" "name","values" \["mytestdatabasesecret"]}],"sortorder" "asc"} output parameter type description secretlist array output field secretlist secretlist arn string output field secretlist arn secretlist name string name of the resource secretlist description string output field secretlist description secretlist lastchangeddate string date value secretlist lastaccesseddate string date value secretlist tags array output field secretlist tags secretlist tags key string output field secretlist tags key secretlist tags value string value for the parameter secretlist secretversionstostages object output field secretlist secretversionstostages secretlist secretversionstostages 6138ae16 59cf 4b73 8eba 987a36b67903 array output field secretlist secretversionstostages 6138ae16 59cf 4b73 8eba 987a36b67903 secretlist secretversionstostages example1 90ab cdef fedc ba987secret1 array output field secretlist secretversionstostages example1 90ab cdef fedc ba987secret1 secretlist createddate string date value responsemetadata object response data responsemetadata requestid string response data responsemetadata httpstatuscode number response data responsemetadata httpheaders object response data responsemetadata httpheaders x amzn requestid string response data responsemetadata httpheaders content type string response data responsemetadata httpheaders content length string response data responsemetadata httpheaders date string response data responsemetadata retryattempts number response data output example {"secretlist" \[{"arn" "arn\ aws\ secretsmanager\ ap south 1 471112629208\ secret\ mytestdatabasesecret phecb ","name" "mytestdatabasesecret","description" "my test database secret created with the cli","lastchangeddate" "2024 07 26 17 28 26","lastaccesseddate" "2024 07 28 00 00 00","tags" \[],"secretversionstostages" {},"createddate" "2024 07 26 15 51 17"}],"responsemetadata" {"requestid" "b996b0ea c96d 4917 881e 4ff3edb86f46","httpstatuscode" 200,"httpheaders" {"x amzn requestid" "b996b0ea c96d 491 put secret value creates a new encrypted version of the secret value in amazon aws secrets manager, requiring a secretid endpoint method put input argument name type required description secretid string required the arn or name of the secret to add a new version to clientrequesttoken string optional a unique identifier for the new version of the secret secretbinary string optional the binary data to encrypt and store in the new version of the secret secretstring string optional the text to encrypt and store in the new version of the secret versionstages array optional a list of staging labels to attach to this version of the secret secrets manager uses staging labels to track versions of a secret through the rotation process rotationtoken string optional a unique identifier that indicates the source of the request input example {"secretid" "mytestdatabasesecret","clientrequesttoken" "6138ae16 59cf 4b73 8eba 987a36b67913","secretbinary" "secret binary value","secretstring" "{'username' 'david','password' 'example password1'}","versionstages" \["awscurrent"],"rotationtoken" "afgvwegsdv2345342efd"} output parameter type description arn string output field arn name string name of the resource versionid string unique identifier versionstages array output field versionstages responsemetadata object response data responsemetadata requestid string response data responsemetadata httpstatuscode number response data responsemetadata httpheaders object response data responsemetadata httpheaders x amzn requestid string response data responsemetadata httpheaders content type string response data responsemetadata httpheaders content length string response data responsemetadata httpheaders date string response data responsemetadata retryattempts number response data output example {"arn" "arn\ aws\ secretsmanager\ ap south 1 471112629208\ secret\ mytestdatabasesecret phecb ","name" "mytestdatabasesecret","versionid" "6138ae16 59cf 4b73 8eba 987a36b67903","versionstages" \["awscurrent"],"responsemetadata" {"requestid" "fb223972 194a 4753 aad3 e30ac1ca4bd9","httpstatuscode" 200,"httpheaders" {"x amzn requestid" "fb223972 194a 4753 aad3 e30ac1ca4bd9","content type" "application/x amz json 1 1","content length" "203","date" "fri, 26 jul 2024 16 09 21 gmt"},"retryattempts" 0}} tag resource attaches key value tags to an amazon aws secrets manager secret, augmenting its metadata without affecting versioning endpoint method post input argument name type required description secretid string required the identifier for the secret to attach tags to you can specify either the amazon resource name (arn) or the friendly name of the secret tags array required the tags to attach to the secret as a json text string argument each element in the list consists of a key and a value tags key string required the key identifier, or name, of the tag tags value string required the string value associated with the key of the tag input example {"secretid" "mytestdatabasesecret","tags" \[{"key" "firsttag","value" "somevalue"},{"key" "secondtag","value" "anothervalue"}]} output parameter type description responsemetadata object response data responsemetadata requestid string response data responsemetadata httpstatuscode number response data responsemetadata httpheaders object response data responsemetadata httpheaders x amzn requestid string response data responsemetadata httpheaders content type string response data responsemetadata httpheaders content length string response data responsemetadata httpheaders date string response data responsemetadata retryattempts number response data output example {"responsemetadata" {"requestid" "1667fe69 b8ac 4aa2 b698 2a8425d74aa5","httpstatuscode" 200,"httpheaders" {"x amzn requestid" "1667fe69 b8ac 4aa2 b698 2a8425d74aa5","content type" "application/x amz json 1 1","content length" "0","date" "fri, 26 jul 2024 17 28 26 gmt"},"retryattempts" 0}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt