Secrets Manager

Protocol: JSON 1.1 (X-Amz-Target: secretsmanager.*) Endpoint: POST http://localhost:4566/

Supported Actions

Action	Description
CreateSecret	Create a new secret
GetSecretValue	Retrieve the current secret value
PutSecretValue	Update the secret value (new version)
UpdateSecret	Update secret metadata or value
DescribeSecret	Get secret metadata and version info
ListSecrets	List all secrets
DeleteSecret	Delete a secret (with recovery window)
RotateSecret	Trigger secret rotation via a Lambda
ListSecretVersionIds	List all versions of a secret
GetResourcePolicy	Get the resource policy
PutResourcePolicy	Attach a resource policy
DeleteResourcePolicy	Remove the resource policy
TagResource	Tag a secret
UntagResource	Remove tags

Configuration

floci:
  services:
    secretsmanager:
      enabled: true
      default-recovery-window-days: 30   # Days before a deleted secret is purged

Examples

export AWS_ENDPOINT=http://localhost:4566

# Create a string secret
aws secretsmanager create-secret \
  --name /app/database-url \
  --secret-string "postgresql://admin:secret@localhost/mydb" \
  --endpoint-url $AWS_ENDPOINT

# Create a JSON secret
aws secretsmanager create-secret \
  --name /app/api-keys \
  --secret-string '{"stripe":"sk_test_xxx","sendgrid":"SG.xxx"}' \
  --endpoint-url $AWS_ENDPOINT

# Retrieve a secret
aws secretsmanager get-secret-value \
  --secret-id /app/database-url \
  --endpoint-url $AWS_ENDPOINT

# Update a secret
aws secretsmanager put-secret-value \
  --secret-id /app/database-url \
  --secret-string "postgresql://admin:new-password@localhost/mydb" \
  --endpoint-url $AWS_ENDPOINT

# List secrets
aws secretsmanager list-secrets --endpoint-url $AWS_ENDPOINT

# Delete (with recovery window)
aws secretsmanager delete-secret \
  --secret-id /app/database-url \
  --recovery-window-in-days 7 \
  --endpoint-url $AWS_ENDPOINT

# Delete immediately (no recovery)
aws secretsmanager delete-secret \
  --secret-id /app/database-url \
  --force-delete-without-recovery \
  --endpoint-url $AWS_ENDPOINT