Amazon Secrets Manager

Amazon Secrets Manager API

The Amazon Secrets Manager API for creating, managing, retrieving, and rotating secrets including database credentials, API keys, and other sensitive configuration.

GitHub OpenAPI

Documentation

📖
Documentation
https://docs.aws.amazon.com/secretsmanager/latest/apireference/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/openapi/amazon-secrets-manager-openapi.yml

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/json-schema/amazon-secrets-manager-secret-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/json-schema/amazon-secrets-manager-secret-value-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/json-schema/amazon-secrets-manager-rotation-rules-schema.json

Other Resources

🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/capabilities/amazon-secrets-manager-general.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/capabilities/amazon-secrets-manager-passwords.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/capabilities/amazon-secrets-manager-rotation.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/capabilities/amazon-secrets-manager-secrets.yaml

OpenAPI Specification

amazon-secrets-manager-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Amazon Secrets Manager API
  description: >-
    Amazon Secrets Manager helps you manage, retrieve, and rotate database
    credentials, API keys, and other secrets throughout their lifecycle. It
    provides centralized secrets management with built-in integration for Amazon
    RDS, Amazon Redshift, and Amazon DocumentDB, enabling automatic rotation of
    secrets without requiring application changes.
  version: '2017-10-17'
  contact:
    name: Kin Lane
    url: https://github.com/kinlane
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
servers:
- url: https://secretsmanager.amazonaws.com
  description: Amazon Secrets Manager API
paths:
  /:
    post:
      operationId: CreateSecret
      summary: Amazon Secrets Manager Create Secret
      description: >-
        Creates a new secret. A secret can be a password, a set of credentials
        such as a user name and password, an OAuth token, or other secret
        information that you store in an encrypted form in Secrets Manager.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.CreateSecret
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/CreateSecretRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CreateSecretResponse'
              examples:
                CreateSecret200Example:
                  summary: Default CreateSecret 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Secrets
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#GetSecretValue:
    post:
      operationId: GetSecretValue
      summary: Amazon Secrets Manager Get Secret Value
      description: >-
        Retrieves the contents of the encrypted fields SecretString or
        SecretBinary from the specified version of a secret.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.GetSecretValue
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/GetSecretValueRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GetSecretValueResponse'
              examples:
                GetSecretValue200Example:
                  summary: Default GetSecretValue 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Secrets
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#PutSecretValue:
    post:
      operationId: PutSecretValue
      summary: Amazon Secrets Manager Put Secret Value
      description: >-
        Creates a new version with a new encrypted secret value and attaches it
        to the secret. The version can contain a new SecretString value or a new
        SecretBinary value.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.PutSecretValue
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/PutSecretValueRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PutSecretValueResponse'
              examples:
                PutSecretValue200Example:
                  summary: Default PutSecretValue 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Secrets
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#UpdateSecret:
    post:
      operationId: UpdateSecret
      summary: Amazon Secrets Manager Update Secret
      description: >-
        Modifies the details of a secret, including metadata and the secret
        value. To change the secret value, you can also use PutSecretValue.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.UpdateSecret
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/UpdateSecretRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UpdateSecretResponse'
              examples:
                UpdateSecret200Example:
                  summary: Default UpdateSecret 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Secrets
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#DeleteSecret:
    post:
      operationId: DeleteSecret
      summary: Amazon Secrets Manager Delete Secret
      description: >-
        Deletes a secret and all of its versions. You can specify a recovery
        window during which you can restore the secret. The minimum recovery
        window is 7 days. The default recovery window is 30 days.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.DeleteSecret
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/DeleteSecretRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DeleteSecretResponse'
              examples:
                DeleteSecret200Example:
                  summary: Default DeleteSecret 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Secrets
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#ListSecrets:
    post:
      operationId: ListSecrets
      summary: Amazon Secrets Manager List Secrets
      description: >-
        Lists the secrets that are stored by Secrets Manager in the Amazon Web
        Services account, not including secrets that are marked for deletion.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.ListSecrets
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/ListSecretsRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ListSecretsResponse'
              examples:
                ListSecrets200Example:
                  summary: Default ListSecrets 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Secrets
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#DescribeSecret:
    post:
      operationId: DescribeSecret
      summary: Amazon Secrets Manager Describe Secret
      description: >-
        Retrieves the details of a secret. It does not include the encrypted
        secret value. Secrets Manager only returns fields that have a value in
        the response.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.DescribeSecret
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/DescribeSecretRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DescribeSecretResponse'
              examples:
                DescribeSecret200Example:
                  summary: Default DescribeSecret 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Secrets
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#RotateSecret:
    post:
      operationId: RotateSecret
      summary: Amazon Secrets Manager Rotate Secret
      description: >-
        Configures and starts the asynchronous process of rotating the secret.
        If you include the configuration parameters, the operation sets the
        values for the secret and then immediately starts a rotation.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.RotateSecret
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/RotateSecretRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RotateSecretResponse'
              examples:
                RotateSecret200Example:
                  summary: Default RotateSecret 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Rotation
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#RestoreSecret:
    post:
      operationId: RestoreSecret
      summary: Amazon Secrets Manager Restore Secret
      description: >-
        Cancels the scheduled deletion of a secret by removing the DeletedDate
        time stamp. You can access a secret again after it has been restored.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.RestoreSecret
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/RestoreSecretRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RestoreSecretResponse'
              examples:
                RestoreSecret200Example:
                  summary: Default RestoreSecret 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Secrets
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#TagResource:
    post:
      operationId: TagResource
      summary: Amazon Secrets Manager Tag Resource
      description: >-
        Attaches tags to a secret. Tags consist of a key name and a value. Tags
        are part of the secret's metadata and are not associated with specific
        versions of the secret.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.TagResource
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/TagResourceRequest'
      responses:
        '200':
          description: Successful response
      tags: []
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#UntagResource:
    post:
      operationId: UntagResource
      summary: Amazon Secrets Manager Untag Resource
      description: >-
        Removes specific tags from a secret. This operation is idempotent. If a
        requested tag is not attached to the secret, no error is returned.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.UntagResource
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/UntagResourceRequest'
      responses:
        '200':
          description: Successful response
      tags: []
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /#GetRandomPassword:
    post:
      operationId: GetRandomPassword
      summary: Amazon Secrets Manager Get Random Password
      description: >-
        Generates a random password. You can use this operation to generate a
        password for a new secret or to change the value of an existing secret.
      parameters:
      - name: X-Amz-Target
        in: header
        required: true
        schema:
          type: string
          enum:
          - secretsmanager.GetRandomPassword
      requestBody:
        required: true
        content:
          application/x-amz-json-1.1:
            schema:
              $ref: '#/components/schemas/GetRandomPasswordRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GetRandomPasswordResponse'
              examples:
                GetRandomPassword200Example:
                  summary: Default GetRandomPassword 200 response
                  x-microcks-default: true
                  value:
                    ARN: arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-a1b2c3
                    Name: MySecret
                    VersionId: a1b2c3d4-e5f6-7890-abcd-ef1234567890
      tags:
      - Passwords
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
components:
  schemas:
    Secret:
      type: object
      properties:
        ARN:
          type: string
          description: The ARN of the secret.
        Name:
          type: string
          description: The friendly name of the secret.
        Description:
          type: string
          description: The description of the secret.
        KmsKeyId:
          type: string
          description: The ARN of the KMS key used to encrypt the secret.
        RotationEnabled:
          type: boolean
          description: Whether rotation is enabled for this secret.
        RotationLambdaARN:
          type: string
          description: The ARN of the Lambda function that rotates the secret.
        RotationRules:
          $ref: '#/components/schemas/RotationRules'
        LastRotatedDate:
          type: string
          format: date-time
          description: The most recent date and time that rotation was triggered.
        LastChangedDate:
          type: string
          format: date-time
          description: The last date and time that this secret was modified.
        LastAccessedDate:
          type: string
          format: date-time
          description: The last date that this secret was accessed.
        DeletedDate:
          type: string
          format: date-time
          description: The date and time the deletion of the secret occurred.
        Tags:
          type: array
          items:
            $ref: '#/components/schemas/Tag'
          description: The list of tags attached to the secret.
        SecretVersionsToStages:
          type: object
          additionalProperties:
            type: array
            items:
              type: string
          description: A list of the versions of the secret that have staging labels attached.
        OwningService:
          type: string
          description: The name of the service that created this secret.
        CreatedDate:
          type: string
          format: date-time
          description: The date and time when the secret was created.
        PrimaryRegion:
          type: string
          description: The Region the secret is in.

    SecretValue:
      type: object
      properties:
        ARN:
          type: string
          description: The ARN of the secret.
        Name:
          type: string
          description: The friendly name of the secret.
        VersionId:
          type: string
          description: The unique identifier of this version of the secret.
        SecretBinary:
          type: string
          format: byte
          description: The decrypted secret value in binary format.
        SecretString:
          type: string
          description: The decrypted secret value in string format.
        VersionStages:
          type: array
          items:
            type: string
          description: A list of the staging labels that are attached to this version.
        CreatedDate:
          type: string
          format: date-time
          description: The date and time that this version of the secret was created.

    RotationRules:
      type: object
      properties:
        AutomaticallyAfterDays:
          type: integer
          description: The number of days between automatic scheduled rotations.
        Duration:
          type: string
          description: The length of the rotation window in hours.
        ScheduleExpression:
          type: string
          description: A cron or rate expression that defines the schedule for rotation.

    Tag:
      type: object
      properties:
        Key:
          type: string
          description: The key identifier or name of the tag.
        Value:
          type: string
          description: The string value associated with the key of the tag.

    CreateSecretRequest:
      type: object
      required:
      - Name
      properties:
        Name:
          type: string
          description: The name of the new secret.
        Description:
          type: string
          description: The description of the secret.
        KmsKeyId:
          type: string
          description: The ARN, key ID, or alias of the KMS key to encrypt the secret.
        SecretBinary:
          type: string
          format: byte
          description: The binary data to encrypt and store in the secret.
        SecretString:
          type: string
          description: The text data to encrypt and store in the secret.
        Tags:
          type: array
          items:
            $ref: '#/components/schemas/Tag'
        ClientRequestToken:
          type: string
          description: A unique identifier for the new version of the secret.

    CreateSecretResponse:
      type: object
      properties:
        ARN:
          type: string
        Name:
          type: string
        VersionId:
          type: string

    GetSecretValueRequest:
      type: object
      required:
      - SecretId
      properties:
        SecretId:
          type: string
          description: The ARN or name of the secret to retrieve.
        VersionId:
          type: string
          description: The unique identifier of the version of the secret to retrieve.
        VersionStage:
          type: string
          description: The staging label of the version of the secret to retrieve.

    GetSecretValueResponse:
      $ref: '#/components/schemas/SecretValue'

    PutSecretValueRequest:
      type: object
      required:
      - SecretId
      properties:
        SecretId:
          type: string
          description: The ARN or name of the secret to update.
        SecretBinary:
          type: string
          format: byte
        SecretString:
          type: string
        ClientRequestToken:
          type: string
        VersionStages:
          type: array
          items:
            type: string

    PutSecretValueResponse:
      type: object
      properties:
        ARN:
          type: string
        Name:
          type: string
        VersionId:
          type: string
        VersionStages:
          type: array
          items:
            type: string

    UpdateSecretRequest:
      type: object
      required:
      - SecretId
      properties:
        SecretId:
          type: string
        Description:
          type: string
        KmsKeyId:
          type: string
        SecretBinary:
          type: string
          format: byte
        SecretString:
          type: string
        ClientRequestToken:
          type: string

    UpdateSecretResponse:
      type: object
      properties:
        ARN:
          type: string
        Name:
          type: string
        VersionId:
          type: string

    DeleteSecretRequest:
      type: object
      required:
      - SecretId
      properties:
        SecretId:
          type: string
          description: The ARN or name of the secret to delete.
        RecoveryWindowInDays:
          type: integer
          description: The number of days that Secrets Manager waits before permanent deletion.
        ForceDeleteWithoutRecovery:
          type: boolean
          description: Use this parameter with caution. It permanently deletes the secret without any recovery window.

    DeleteSecretResponse:
      type: object
      properties:
        ARN:
          type: string
        Name:
          type: string
        DeletionDate:
          type: string
          format: date-time

    ListSecretsRequest:
      type: object
      properties:
        MaxResults:
          type: integer
          description: The maximum number of results to include in the response.
        NextToken:
          type: string
          description: A token for pagination.
        Filters:
          type: array
          items:
            type: object
            properties:
              Key:
                type: string
                enum:
                - description
                - name
                - tag-key
                - tag-value
                - primary-region
                - owning-service
                - all
              Values:
                type: array
                items:
                  type: string
        SortOrder:
          type: string
          enum:
          - asc
          - desc

    ListSecretsResponse:
      type: object
      properties:
        SecretList:
          type: array
          items:
            $ref: '#/components/schemas/Secret'
        NextToken:
          type: string

    DescribeSecretRequest:
      type: object
      required:
      - SecretId
      properties:
        SecretId:
          type: string
          description: The ARN or name of the secret to describe.

    DescribeSecretResponse:
      $ref: '#/components/schemas/Secret'

    RotateSecretRequest:
      type: object
      required:
      - SecretId
      properties:
        SecretId:
          type: string
          description: The ARN or name of the secret to rotate.
        ClientRequestToken:
          type: string
        RotationLambdaARN:
          type: string
          description: The ARN of the Lambda rotation function.
        RotationRules:
          $ref: '#/components/schemas/RotationRules'
        RotateImmediately:
          type: boolean
          description: Whether to rotate the secret immediately.

    RotateSecretResponse:
      type: object
      properties:
        ARN:
          type: string
        Name:
          type: string
        VersionId:
          type: string

    RestoreSecretRequest:
      type: object
      required:
      - SecretId
      properties:
        SecretId:
          type: string
          description: The ARN or name of the secret to restore.

    RestoreSecretResponse:
      type: object
      properties:
        ARN:
          type: string
        Name:
          type: string

    TagResourceRequest:
      type: object
      required:
      - SecretId
      - Tags
      properties:
        SecretId:
          type: string
          description: The ARN or name of the secret to tag.
        Tags:
          type: array
          items:
            $ref: '#/components/schemas/Tag'

    UntagResourceRequest:
      type: object
      required:
      - SecretId
      - TagKeys
      properties:
        SecretId:
          type: string
          description: The ARN or name of the secret to untag.
        TagKeys:
          type: array
          items:
            type: string
          description: A list of tag key names to remove from the secret.

    GetRandomPasswordRequest:
      type: object
      properties:
        PasswordLength:
          type: integer
          description: The length of the password. Default is 32 characters.
        ExcludeCharacters:
          type: string
          description: A string of characters to exclude from the password.
        ExcludeNumbers:
          type: boolean
        ExcludePunctuation:
          type: boolean
        ExcludeUppercase:
          type: boolean
        ExcludeLowercase:
          type: boolean
        IncludeSpace:
          type: boolean
        RequireEachIncludedType:
          type: boolean

    GetRandomPasswordResponse:
      type: object
      properties:
        RandomPassword:
          type: string
          description: A string with the password.
tags:
- name: Passwords
  description: Operations for generating passwords.
- name: Rotation
  description: Operations for rotating secrets.
- name: Secrets
  description: Operations for managing secrets.