Create a secret - AWS Secrets Manager

Create a secret

To store API keys, access tokens, credentials that aren't for databases, and other secrets in Secrets Manager, follow these steps.

To create a secret, you need the permissions granted by the SecretsManagerReadWrite AWS managed policy.

To create a secret (console)

  1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. Choose Store a new secret.

  3. On the Choose secret type page, do the following:

    1. For Secret type, choose Other type of secret.

    2. In Key/value pairs, either enter your secret in Key/value pairs, or choose the Plaintext tab and enter the secret in any format. We recommend JSON. You can store up to 65536 bytes in the secret.

    3. For Encryption key, choose the AWS KMS key that Secrets Manager uses to encrypt the secret value:

      • For most cases, choose aws/secretsmanager to use the AWS managed key for Secrets Manager. There is no cost for using this key.

      • If you need to access the secret from another AWS account, choose a customer managed key from the list or choose Add new key to create one. You will be charged for KMS keys that you create.

        You must have the following permissions to the key: kms:Encrypt, kms:Decrypt, and kms:GenerateDataKey. For more information about cross-account access, see Permissions for users in a different account.

    4. Choose Next.

  4. On the Configure secret page, do the following:

    1. Enter a descriptive Secret name and Description.

    2. (Optional) In the Tags section, add tags to your secret. For tagging strategies, see Tag secrets. Don't store sensitive information in tags because they aren't encrypted.

    3. (Optional) In Resource permissions, to add a resource policy to your secret, choose Edit permissions. For more information, see Attach a permissions policy to a secret.

    4. (Optional) In Replicate secret, to replicate your secret to another AWS Region, choose Replicate secret. You can replicate your secret now or come back and replicate it later. For more information, see Replicate a secret to other Regions.

    5. Choose Next.

  5. (Optional) On the Configure rotation page, you can turn on automatic rotation. You can also keep rotation off for now and then turn it on later. For more information, see Rotate secrets. Choose Next.

  6. On the Review page, review your secret details, and then choose Store.

    Secrets Manager returns to the list of secrets. If your new secret doesn't appear, choose the refresh button.

AWS CLI

To create a secret by using the AWS CLI, you first create a JSON file or binary file that contains your secret. Then you use the create-secret operation.

To create a secret

  1. Create your secret in a file, for example a JSON file named mycreds.json.

    { "username": "saanvi", "password": "EXAMPLE-PASSWORD" }
  2. In the AWS CLI, use the following command.

    $ aws secretsmanager create-secret --name MySecret --secret-string file://mycreds.json

    The following shows the output.

    { "SecretARN": "arn:aws:secretsmanager:Region:AccountId:secret:MySecret-a1b2c3", "SecretName": "MySecret", "SecretVersionId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE" }

AWS SDK

To create a secret by using one of the AWS SDKs, use the CreateSecret action. For more information, see AWS SDKs.