secrets-manager_skill

This skill simplifies managing secrets with AWS Secrets Manager, enabling secure storage, rotation, and retrieval for applications.
  • Python

976

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill itsmostafa/aws-agent-skills --skill secrets-manager

  • rotation-strategies.md10.9 KB
  • SKILL.md8.8 KB

Overview

This skill provides AWS Secrets Manager capabilities for storing, retrieving, and rotating secrets securely. It exposes common operations—create, read, update, delete, versioning, and automated rotation—plus patterns for integrating secrets into applications and Lambda. The skill helps agents manage secret lifecycles and follow AWS best practices for encryption, access control, and auditing.

How this skill works

The skill wraps AWS Secrets Manager APIs and typical boto3 patterns to create secrets, retrieve secret values (including handling SecretString and SecretBinary), manage versions and staging labels, and configure rotation using Lambda. It also supports client-side caching to reduce API calls and demonstrates using the Lambda extension for fast, local secret access. Typical flows include creating secrets with metadata/tags, enabling rotation, retrieving cached secrets in runtime, and troubleshooting access or rotation failures.

When to use it

  • Store database credentials, API keys, OAuth tokens, or any sensitive key-value pairs up to 64 KB.
  • Automatically rotate credentials for RDS, Redshift, DocumentDB, or custom resources with Lambda-based rotation.
  • Integrate secrets into Lambda functions or applications without embedding credentials in code or configuration.
  • Manage secret versions and staging labels during deployment and credential rollouts.
  • Implement fine-grained access control and auditing for production environments.

Best practices

  • Use hierarchical, descriptive names and tags (environment/application/secret-type) to organize secrets.
  • Encrypt secrets with customer-managed KMS keys and apply resource policies to limit access.
  • Enable automated rotation on a regular cadence (typically 30–90 days) and test rotation Lambda functions.
  • Cache secrets in applications to reduce Secrets Manager API calls and handle rotation gracefully.
  • Audit all access with CloudTrail and avoid logging secret values anywhere.

Example use cases

  • Create a production database secret and enable 30-day automatic rotation with an RDS rotation Lambda.
  • Retrieve cached database credentials inside a web server to obtain DB passwords without frequent API calls.
  • Use the Lambda Extension to fetch secrets locally within a function for lower-latency access.
  • Push a new secret version with staging labels (AWSPENDING/AWSCURRENT) during a blue-green credential rollout.
  • Audit and restrict secret access by tagging secrets and enforcing tag-based IAM conditions.

FAQ

Create a new secret version as AWSPENDING, let your rotation Lambda update the credential in the target system, then promote the new version to AWSCURRENT; applications should retry and refresh cached secrets.

What causes AccessDeniedException when retrieving a secret?

Common causes are missing secretsmanager:GetSecretValue permission in IAM, restrictive resource or KMS key policies, or a condition mismatch on tags; validate IAM and resource policies and check CloudTrail for denied calls.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
secrets-manager skill by itsmostafa/aws-agent-skills | VeilStrat