Tag Amazon Secrets Manager secrets - Amazon Secrets Manager
Amazon CLIAmazon SDK
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tag Amazon Secrets Manager secrets

Secrets Manager defines a tag as a label consisting of a key that you define and an optional value. You can use tags to make it easy to manage, search, and filter secrets and other resources in your Amazon account. When you tag your secrets, use a standard naming scheme across all of your resources. For more information, see the Tagging Best Practices whitepaper.

You can grant or deny access to a secret by checking the tags attached to the secret. For more information, see Example: Control access to secrets using tags.

You can find secrets by tags in the console, Amazon CLI, and SDKs. Amazon also provides the Resource Groups tool to create a custom console that consolidates and organizes your resources based on their tags. To find secrets with a specific tag, see Find secrets in Amazon Secrets Manager. Secrets Manager doesn't support tag-based cost allocation.

Never store sensitive information for a secret in a tag.

For tag quotas and naming restrictions, see Service quotas for Tagging in the Amazon General Reference guide. Tags are case sensitive.

Secrets Manager generates a CloudTrail log entry when you tag or untag a secret. For more information, see Log Amazon Secrets Manager events with Amazon CloudTrail.

To change tags for your secret (console)

  1. Open the Secrets Manager console at https://console.amazonaws.cn/secretsmanager/.

  2. From the list of secrets, choose your secret.

  3. In the secret details page, on the Tags tab, choose Edit tags. Tag key names and values are case sensitive, and tag keys must be unique.

Amazon CLI

Example Add a tag to a secret

The following tag-resource example shows how to attach a tag with shorthand syntax.

aws secretsmanager tag-resource \
            --secret-id MyTestSecret \
            --tags Key=FirstTag,Value=FirstValue
Example Add multiple tags to a secret

The following tag-resource example attaches two key-value tags to a secret.

aws secretsmanager tag-resource \
            --secret-id MyTestSecret \
            --tags '[{"Key": "FirstTag", "Value": "FirstValue"}, {"Key": "SecondTag", "Value": "SecondValue"}]'
Example Remove tags from a secret

The following untag-resource example removes two tags from a secret. For each tag, both key and value are removed.

aws secretsmanager untag-resource \
            --secret-id MyTestSecret \
            --tag-keys '[ "FirstTag", "SecondTag"]'

Amazon SDK

To change tags for your secret, use TagResource or UntagResource. For more information, see Amazon SDKs.