Tag AWS Secrets Manager secrets

Secrets Manager defines a tag as a label consisting of a key that you define and an optional value. You can use tags to make it easy to manage, search, and filter secrets and other resources in your AWS account. When you tag your secrets, use a standard naming scheme across all of your resources. For more information, see the Tagging Best Practices whitepaper.

You can grant or deny access to a secret by checking the tags attached to the secret. For more information, see Example: Control access to secrets using tags.

You can find secrets by tags in the console, AWS CLI, and SDKs. AWS also provides the Resource Groups tool to create a custom console that consolidates and organizes your resources based on their tags. To find secrets with a specific tag, see Find secrets in AWS Secrets Manager. Secrets Manager doesn't support tag-based cost allocation.

Never store sensitive information for a secret in a tag.

For tag quotas and naming restrictions, see Service quotas for Tagging in the AWS General Reference guide. Tags are case sensitive.

Secrets Manager generates a CloudTrail log entry when you tag or untag a secret. For more information, see Log AWS Secrets Manager events with AWS CloudTrail.

To change tags for your secret (console)

Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.
From the list of secrets, choose your secret.
In the secret details page, on the Tags tab, choose Edit tags. Tag key names and values are case sensitive, and tag keys must be unique.

AWS CLI

Example Add a tag to a secret

The following tag-resource example shows how to attach a tag with shorthand syntax.


aws secretsmanager tag-resource \
            --secret-id MyTestSecret \
            --tags Key=FirstTag,Value=FirstValue

Example Add multiple tags to a secret

The following tag-resource example attaches two key-value tags to a secret.


aws secretsmanager tag-resource \
            --secret-id MyTestSecret \
            --tags '[{"Key": "FirstTag", "Value": "FirstValue"}, {"Key": "SecondTag", "Value": "SecondValue"}]'

Example Remove tags from a secret

The following untag-resource example removes two tags from a secret. For each tag, both key and value are removed.


aws secretsmanager untag-resource \
            --secret-id MyTestSecret \
            --tag-keys '[ "FirstTag", "SecondTag"]'

AWS SDK

To change tags for your secret, use TagResource or UntagResource. For more information, see AWS SDKs.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Promote a replica secret to a standalone secret

Get secrets