Tag secrets - AWS Secrets Manager

Tag secrets

Secrets Manager defines a tag as a label consisting of a key that you define and an optional value. You can use tags to make it easy to manage, search, and filter secrets and other resources in your AWS account. When you tag your secrets, use a standard naming scheme across all of your resources. Tags are case sensitive. Never store sensitive information for a secret in a tag.

To find secrets with a specific tag, see Find secrets in AWS Secrets Manager.

Create tags for:

  • Security/access control – You can grant or deny access to a secret by checking the tags attached to the secret. See Example: Control access to secrets using tags.

  • Automation – You can use tags to filter resources for automation. For example, some customers run automated start/stop scripts to turn off development environments during non-business hours to reduce costs. You can create and then check for a tag indicating if a specific Amazon EC2 instance should be included in the shutdown.

  • Filtering – You can find secrets by tags in the console, AWS CLI, and SDKs. AWS also provides the Resource Groups tool to create a custom console that consolidates and organizes your resources based on their tags. For more information, see Working with Resource Groups in the AWS Management Console Getting Started Guide.

For more information, see AWS Tagging Strategies on the AWS Answers website.

You can tag your secrets when you create them or when you edit them.

To change tags for your secret (console)

  1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. From the list of secrets, choose your secret.

  3. In the secret details page, in the Tags section, choose Edit. Tag key names and values are case sensitive, and tag keys must be unique.


To change tags for your secret, use the tag-resource or untag-resource operation.

The following example adds or replaces the tags with those provided by the --tags parameter. Tag key names and values are case sensitive, and tag keys must be unique. The parameter is expected to be a JSON array of Key and Value elements:

$ aws secretsmanager tag-resource --secret-id MySecret2 --tags Key=costcenter,Value=12345

The following example AWS CLI command removes the tags with the key "environment" from the specified secret:

$ aws secretsmanager untag-resource --secret-id MySecret2 --tag-keys 'environment'

The tag-resource command doesn't return any output.


To change tags for your secret, use TagResource or UntagResource. For more information, see AWS SDKs.