Tag AWS Secrets Manager secrets
Secrets Manager defines a tag as a label consisting of a key that you define and an optional value. You can use tags to make it easy to manage, search, and filter secrets and other resources in your AWS account. When you tag your secrets, use a standard naming scheme across all of your resources. For more information, see the Tagging Best Practices whitepaper.
You can grant or deny access to a secret by checking the tags attached to the secret. For more information, see Control access to secrets using attribute-based access control (ABAC) .
You can find secrets by tags in the console, AWS CLI, and SDKs. AWS also provides the Resource Groups tool to create a custom console that consolidates and organizes your resources based on their tags. To find secrets with a specific tag, see Find secrets in AWS Secrets Manager. Secrets Manager doesn't support tag-based cost allocation.
Never store sensitive information for a secret in a tag.
For tag quotas and naming restrictions, see Service quotas for Tagging in the AWS General Reference guide. Tags are case sensitive.
Secrets Manager generates a CloudTrail log entry when you tag or untag a secret. For more information, see Log AWS Secrets Manager events with AWS CloudTrail.
To change tags for your secret (console)
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/
. -
From the list of secrets, choose your secret.
-
In the secret details page, on the Tags tab, choose Edit tags. Tag key names and values are case sensitive, and tag keys must be unique.
AWS CLI
Example Add a tag to a secret
The following tag-resource
example shows how to attach a tag with shorthand syntax.
aws secretsmanager tag-resource \ --secret-id MyTestSecret \ --tags Key=FirstTag,Value=FirstValue
Example Add multiple tags to a secret
The following tag-resource
example attaches two key-value tags to a secret.
aws secretsmanager tag-resource \ --secret-id MyTestSecret \ --tags '[{"Key": "FirstTag", "Value": "FirstValue"}, {"Key": "SecondTag", "Value": "SecondValue"}]'
Example Remove tags from a secret
The following untag-resource
example removes two tags from a secret. For each tag, both key and value are removed.
aws secretsmanager untag-resource \ --secret-id MyTestSecret \ --tag-keys '[ "FirstTag", "SecondTag"]'
AWS SDK
To change tags for your secret, use TagResource
or
UntagResource
. For more information,
see AWS SDKs.