Secrets Manager
Retrieves and monitors secrets information from AWS Secrets Manager.
Details
The AWS Secrets Manager input collects secrets metadata from AWS Secrets Manager. It retrieves secret ARNs, names, descriptions, and related secret information based on the configured filters.
Requirements
- IAM Role Assumption / Static Credentials
- Example permission to attach to the role/user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SecretsManagerPermissions",
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets",
"secretsmanager:DescribeSecret"
],
"Resource": "*"
}
]
}
Configuration
Settings
| Setting | Type | Required | Default | Description |
|---|---|---|---|---|
| role_arn | string | Yes | - | The ARN of the role to assume to access the secrets manager |
| cron | string | Yes | - | Cron expression for scheduling the input |
| include_planned_deletion | boolean | No | - | Include secrets that are scheduled for deletion |
| region | array | Yes | - | Filter the secrets list by region (us-east-1, us-east-2, us-west-1, us-west-2, af-south-1, ap-east-1, ap-south-1, ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-southeast-1, ap-southeast-2, ca-central-1, cn-north-1, cn-northwest-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, eu-south-1, me-south-1, sa-east-1, us-gov-east-1, us-gov-west-1) |
| Filters | Array | No | [] | Filter secrets based on various criteria (see Filters section below) |
Filters
You can filter secrets using the following keys:
| Filter Key | Description | Example Values |
|---|---|---|
| name | Filter by secret name (prefix match, case-sensitive) | ["prod/", "app/database/"] |
| description | Filter by description (prefix match, not case-sensitive) | ["database", "api key"] |
| tag-key | Filter by tag key (prefix match, case-sensitive) | ["Environment", "Team"] |
| tag-value | Filter by tag value (prefix match, case-sensitive) | ["production", "backend"] |
| primary-region | Filter by primary region (prefix match, case-sensitive) | ["us-west-2", "us-east-1"] |
| owning-service | Filter by owning service (prefix match, case-sensitive) | ["rds", "lambda", "ecs"] |
| all | Search all attributes (not case-sensitive) | ["database", "production"] |
Note: Prefix filter values with ! for negation (e.g., ["!test/", "!dev/"] to exclude test and dev secrets).
Filter Examples:
Production secrets only:
"filters": [
{
"key": "name",
"values": ["prod/"]
}
]
Secrets (Static Credentials Only)
| Setting | Type | Required | Description |
|---|---|---|---|
| Access Key | string | Conditional | AWS Access Key ID |
| Secret Key | string | Conditional | AWS Secret Access Key |
⚠️ Authentication: Choose either Role ARN (recommended) or static credentials. See AWS Authentication Guide for setup instructions.
Sample Record
{
"ARN": "arn:aws:secretsmanager:ap-southeast-1:772057037646:secret:prod/api/keys-AbcDef",
"CreatedDate": "2025-08-11T23:46:57.642505Z",
"DeletedDate": "null",
"Description": "Redis connection credentials",
"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
"LastAccessedDate": "null",
"LastChangedDate": "2025-08-11T23:46:57.642568Z",
"LastRotatedDate": "{{timestampISO8601}}",
"Name": "my-app/database/password",
"NextRotationDate": "{{timestampISO8601}}",
"OwningService": "elasticache",
"PrimaryRegion": "null",
"RotationEnabled": "false",
"RotationLambdaARN": "null",
"RotationRules": {
"AutomaticallyAfterDays": "311",
"Duration": "1h",
"ScheduleExpression": "null"
},
"SecretVersionsToStages": {
"ed926b69-4b3c-44ef-8f56-385d94e7eed8": [
"AWSCURRENT"
]
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Environment",
"Value": "Development"
}
]
}