Amazon Secrets Manager logo

Amazon Secrets Manager

Amazon Secrets Manager helps you manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycle. It provides centralized secrets management with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB, enabling automatic rotation of secrets without requiring application changes.

1 APIs 8 Features
ConfigurationCredentialsRotationSecretsSecurity

APIs

Amazon Secrets Manager API

The Amazon Secrets Manager API for creating, managing, retrieving, and rotating secrets including database credentials, API keys, and other sensitive configuration.

Features

Automatic Secret Rotation

Automatically rotate secrets on a schedule using AWS Lambda rotation functions without changing application code.

Centralized Secret Storage

Store and manage all secrets in a single, centralized location with fine-grained access controls.

Native Database Integration

Built-in integration with Amazon RDS, Aurora, Redshift, and DocumentDB for automatic credential rotation.

Secret Versioning

Maintain multiple versions of a secret simultaneously to support zero-downtime rotation.

Audit and Compliance

Log all secret access and management actions via AWS CloudTrail for compliance and audit purposes.

Cross-Account Access

Share secrets across AWS accounts using resource-based policies.

Encryption at Rest

All secrets are encrypted at rest using AWS KMS keys you control.

Random Password Generation

Generate cryptographically secure random passwords with configurable complexity requirements.

Use Cases

Database Credential Management

Automatically rotate and manage database credentials for RDS, Aurora, and other databases.

API Key Storage

Securely store and retrieve API keys, OAuth tokens, and other third-party service credentials.

Application Configuration

Centralize sensitive application configuration such as connection strings and encryption keys.

Cross-Service Credentials

Share service-to-service credentials securely across microservices without embedding in code.

Compliance Secret Rotation

Meet compliance requirements like PCI DSS and SOC 2 by enforcing regular credential rotation.

Secrets Lifecycle Governance

Enforce organizational policies on secret creation, rotation schedules, and access patterns.

Semantic Vocabularies

Amazon Secrets Manager Context

6 classes · 27 properties

JSON-LD

API Governance Rules

Amazon Secrets Manager API Rules

20 rules · 9 errors 10 warnings 1 info

SPECTRAL

Resources

🔗
PostmanWorkspace
PostmanWorkspace
🔗
ArazzoWorkflows
ArazzoWorkflows
🌐
Portal
Portal
🚀
GettingStarted
GettingStarted
🔗
Documentation
Documentation
🔗
APIReference
APIReference
🌐
Console
Console
📝
SignUp
SignUp
💰
Pricing
Pricing
💬
FAQ
FAQ
📰
Blog
Blog
🟢
StatusPage
StatusPage
💬
Support
Support
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
🔗
Security
Security
🔗
Compliance
Compliance
👥
GitHubOrganization
GitHubOrganization
👥
YouTube
YouTube
👥
StackOverflow
StackOverflow
🔗
KnowledgeCenter
KnowledgeCenter
🔗
CLI
CLI
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary
🔗
JSONLD
JSONLD
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema
🔗
JSONStructure
JSONStructure
🔗
JSONStructure
JSONStructure
🔗
JSONStructure
JSONStructure
🔗
JSONStructure
JSONStructure
🔗
JSONStructure
JSONStructure
🔗
JSONStructure
JSONStructure
💻
Example
Example
💻
Example
Example
💻
Example
Example
💻
Example
Example
💻
Example
Example
💻
Example
Example

Sources

Raw ↑ 
name: Amazon Secrets Manager
description: >-
  Amazon Secrets Manager helps you manage, retrieve, and rotate database credentials, API keys, and other secrets
  throughout their lifecycle. It provides centralized secrets management with built-in integration for Amazon RDS,
  Amazon Redshift, and Amazon DocumentDB, enabling automatic rotation of secrets without requiring application changes.
url: https://aws.amazon.com/secrets-manager/
baseURL: https://secretsmanager.amazonaws.com
kind: company
created: '2024-01-01'
modified: '2026-05-19'
tags:
  - AWS
  - Configuration
  - Credentials
  - Rotation
  - Secrets
  - Security
apis:
  - name: Amazon Secrets Manager API
    description: >-
      The Amazon Secrets Manager API for creating, managing, retrieving, and rotating secrets including database
      credentials, API keys, and other sensitive configuration.
    humanURL: https://docs.aws.amazon.com/secretsmanager/latest/apireference/
    baseURL: https://secretsmanager.{region}.amazonaws.com
    tags:
      - Security
      - Secrets
      - Credentials
      - Rotation
    properties:
      - type: Documentation
        url: https://docs.aws.amazon.com/secretsmanager/latest/apireference/
      - type: OpenAPI
        url: openapi/amazon-secrets-manager-openapi.yml
      - type: JSONSchema
        url: json-schema/amazon-secrets-manager-secret-schema.json
      - type: JSONSchema
        url: json-schema/amazon-secrets-manager-secret-value-schema.json
      - type: JSONSchema
        url: json-schema/amazon-secrets-manager-rotation-rules-schema.json
common:
  - type: PostmanWorkspace
    url: https://www.postman.com/kinlaneapi/amazon-secrets-manager/overview
  - type: ArazzoWorkflows
    url: arazzo/
    workflows:
      - url: arazzo/amazon-secrets-manager-create-and-read-secret-workflow.yml
        name: Amazon Secrets Manager Create and Read Secret
        summary: Create a new secret, then immediately retrieve its decrypted value to confirm it was stored.
      - url: arazzo/amazon-secrets-manager-find-and-delete-secret-workflow.yml
        name: Amazon Secrets Manager Find and Delete Secret
        summary: >-
          List secrets filtered by name, branch on whether a match exists, then describe and schedule deletion of the
          matched secret.
      - url: arazzo/amazon-secrets-manager-generate-password-and-store-secret-workflow.yml
        name: Amazon Secrets Manager Generate Password and Store Secret
        summary: Generate a random password, store it as a new secret, then read the secret value back to confirm it was saved.
      - url: arazzo/amazon-secrets-manager-restore-deleted-secret-workflow.yml
        name: Amazon Secrets Manager Restore Deleted Secret
        summary: >-
          Cancel the scheduled deletion of a secret with RestoreSecret, then describe it to confirm the DeletedDate was
          cleared.
      - url: arazzo/amazon-secrets-manager-rotate-and-describe-workflow.yml
        name: Amazon Secrets Manager Rotate and Describe
        summary: >-
          Start rotation on a secret with a Lambda rotation function, then describe it to confirm rotation is
          configured.
      - url: arazzo/amazon-secrets-manager-rotate-version-and-verify-workflow.yml
        name: Amazon Secrets Manager Put New Version and Verify
        summary: >-
          Store a new encrypted version of a secret with PutSecretValue, then read the current value to confirm the
          update.
      - url: arazzo/amazon-secrets-manager-tag-secret-and-verify-workflow.yml
        name: Amazon Secrets Manager Tag Secret and Verify
        summary: >-
          Attach tags to a secret with TagResource, then describe the secret to confirm the tags are present in its
          metadata.
      - url: arazzo/amazon-secrets-manager-update-metadata-and-verify-workflow.yml
        name: Amazon Secrets Manager Update Metadata and Verify
        summary: >-
          Update a secret's description and KMS key with UpdateSecret, then describe it to confirm the new metadata was
          applied.
  - type: Portal
    url: https://aws.amazon.com/
  - type: GettingStarted
    url: https://aws.amazon.com/secrets-manager/getting-started/
  - type: Documentation
    url: https://docs.aws.amazon.com/secretsmanager/latest/userguide/
  - type: APIReference
    url: https://docs.aws.amazon.com/secretsmanager/latest/apireference/
  - type: Console
    url: https://console.aws.amazon.com/secretsmanager/
  - type: SignUp
    url: https://portal.aws.amazon.com/billing/signup
  - type: Pricing
    url: https://aws.amazon.com/secrets-manager/pricing/
  - type: FAQ
    url: https://aws.amazon.com/secrets-manager/faqs/
  - type: Blog
    url: https://aws.amazon.com/blogs/security/
  - type: StatusPage
    url: https://health.aws.amazon.com/health/status
  - type: Support
    url: https://aws.amazon.com/support/
  - type: TermsOfService
    url: https://aws.amazon.com/service-terms/
  - type: PrivacyPolicy
    url: https://aws.amazon.com/privacy/
  - type: Security
    url: https://docs.aws.amazon.com/secretsmanager/latest/userguide/security.html
  - type: Compliance
    url: https://aws.amazon.com/compliance/
  - type: GitHubOrganization
    url: https://github.com/aws
  - type: YouTube
    url: https://www.youtube.com/user/AmazonWebServices
  - type: StackOverflow
    url: https://stackoverflow.com/questions/tagged/aws-secrets-manager
  - type: KnowledgeCenter
    url: https://repost.aws/knowledge-center
  - type: CLI
    url: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/
  - type: SpectralRules
    url: rules/amazon-secrets-manager-spectral-rules.yml
  - type: Vocabulary
    url: vocabulary/amazon-secrets-manager-vocabulary.yaml
  - type: Features
    data:
      - name: Automatic Secret Rotation
        description: >-
          Automatically rotate secrets on a schedule using AWS Lambda rotation functions without changing application
          code.
      - name: Centralized Secret Storage
        description: Store and manage all secrets in a single, centralized location with fine-grained access controls.
      - name: Native Database Integration
        description: Built-in integration with Amazon RDS, Aurora, Redshift, and DocumentDB for automatic credential rotation.
      - name: Secret Versioning
        description: Maintain multiple versions of a secret simultaneously to support zero-downtime rotation.
      - name: Audit and Compliance
        description: Log all secret access and management actions via AWS CloudTrail for compliance and audit purposes.
      - name: Cross-Account Access
        description: Share secrets across AWS accounts using resource-based policies.
      - name: Encryption at Rest
        description: All secrets are encrypted at rest using AWS KMS keys you control.
      - name: Random Password Generation
        description: Generate cryptographically secure random passwords with configurable complexity requirements.
  - type: UseCases
    data:
      - name: Database Credential Management
        description: Automatically rotate and manage database credentials for RDS, Aurora, and other databases.
      - name: API Key Storage
        description: Securely store and retrieve API keys, OAuth tokens, and other third-party service credentials.
      - name: Application Configuration
        description: Centralize sensitive application configuration such as connection strings and encryption keys.
      - name: Cross-Service Credentials
        description: Share service-to-service credentials securely across microservices without embedding in code.
      - name: Compliance Secret Rotation
        description: Meet compliance requirements like PCI DSS and SOC 2 by enforcing regular credential rotation.
      - name: Secrets Lifecycle Governance
        description: Enforce organizational policies on secret creation, rotation schedules, and access patterns.
  - type: Integrations
    data:
      - name: Amazon RDS
        description: Native integration for automatic rotation of RDS database credentials.
      - name: Amazon Aurora
        description: Built-in support for rotating Aurora database master user passwords.
      - name: Amazon Redshift
        description: Automatic rotation of Redshift cluster credentials.
      - name: Amazon DocumentDB
        description: Native rotation support for DocumentDB user credentials.
      - name: AWS Lambda
        description: Lambda-powered custom rotation functions for any secret type.
      - name: AWS CloudTrail
        description: Audit logging of all Secrets Manager API calls via CloudTrail.
      - name: AWS KMS
        description: Encryption of secrets at rest using customer-managed KMS keys.
      - name: AWS IAM
        description: Fine-grained access control for secrets using IAM policies and resource-based policies.
      - name: AWS CloudFormation
        description: Provision and manage secrets as part of CloudFormation stacks.
  - type: JSONLD
    url: json-ld/amazon-secrets-manager-context.jsonld
  - type: JSONSchema
    url: json-schema/amazon-secrets-manager-get-random-password-response-schema.json
  - type: JSONSchema
    url: json-schema/amazon-secrets-manager-list-secrets-response-schema.json
  - type: JSONSchema
    url: json-schema/amazon-secrets-manager-tag-schema.json
  - type: JSONStructure
    url: json-structure/amazon-secrets-manager-get-random-password-response-structure.json
  - type: JSONStructure
    url: json-structure/amazon-secrets-manager-list-secrets-response-structure.json
  - type: JSONStructure
    url: json-structure/amazon-secrets-manager-rotation-rules-structure.json
  - type: JSONStructure
    url: json-structure/amazon-secrets-manager-secret-structure.json
  - type: JSONStructure
    url: json-structure/amazon-secrets-manager-secret-value-structure.json
  - type: JSONStructure
    url: json-structure/amazon-secrets-manager-tag-structure.json
  - type: Example
    url: examples/amazon-secrets-manager-get-random-password-response-example.json
  - type: Example
    url: examples/amazon-secrets-manager-list-secrets-response-example.json
  - type: Example
    url: examples/amazon-secrets-manager-rotation-rules-example.json
  - type: Example
    url: examples/amazon-secrets-manager-secret-example.json
  - type: Example
    url: examples/amazon-secrets-manager-secret-value-example.json
  - type: Example
    url: examples/amazon-secrets-manager-tag-example.json
  - type: Integrations
    url: https://aws.amazon.com/partners/
maintainer: Kin Lane
integrations:
  - name: Partner Programs
  - name: Resources
  - name: Success Stories
  - name: Work with an AWS Partner
  - name: AWS Marketplace
  - name: AWS Partner Central
  - name: Partner Paths
  - name: co-sell with AWS