Amazon Secrets Manager · Arazzo Workflow

Amazon Secrets Manager Tag Secret and Verify

Version 1.0.0

Attach tags to a secret with TagResource, then describe the secret to confirm the tags are present in its metadata.

1 workflow 1 source API 1 provider
View Spec View on GitHub ConfigurationCredentialsRotationSecretsSecurityArazzoWorkflows

Provider

amazon-secrets-manager

Workflows

tag-secret-and-verify
Apply tags to a secret and confirm they appear in its metadata.
Calls TagResource to attach the supplied tags to a secret, then calls DescribeSecret to verify the tags are present in the secret's metadata.
2 steps inputs: SecretId, Tags outputs: secretArn, tags
1
tagResource
TagResource
Attach the supplied key/value tags to the secret's metadata.
2
describeSecret
DescribeSecret
Read the secret metadata back to confirm the tags were applied.

Source API Descriptions

openapi
secretsManagerApi https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/openapi/amazon-secrets-manager-openapi.yml

Arazzo Workflow Specification

amazon-secrets-manager-tag-secret-and-verify-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Amazon Secrets Manager Tag Secret and Verify
  summary: Attach tags to a secret with TagResource, then describe the secret to confirm the tags are present in its metadata.
  description: >-
    The metadata governance pattern. The workflow attaches a set of key/value
    tags to a secret so it can be tracked for cost allocation, ownership, or
    access control, then calls DescribeSecret to read the Tags back and confirm
    they were applied. Every step inlines the AWS JSON 1.1 X-Amz-Target header
    and request payload so the flow is self-describing.
  version: 1.0.0
sourceDescriptions:
- name: secretsManagerApi
  url: ../openapi/amazon-secrets-manager-openapi.yml
  type: openapi
workflows:
- workflowId: tag-secret-and-verify
  summary: Apply tags to a secret and confirm they appear in its metadata.
  description: >-
    Calls TagResource to attach the supplied tags to a secret, then calls
    DescribeSecret to verify the tags are present in the secret's metadata.
  inputs:
    type: object
    required:
    - SecretId
    - Tags
    properties:
      SecretId:
        type: string
        description: The ARN or name of the secret to tag.
      Tags:
        type: array
        description: A list of Key/Value tag objects to attach to the secret.
        items:
          type: object
          properties:
            Key:
              type: string
            Value:
              type: string
  steps:
  - stepId: tagResource
    description: >-
      Attach the supplied key/value tags to the secret's metadata.
    operationId: TagResource
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.TagResource
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $inputs.SecretId
        Tags: $inputs.Tags
    successCriteria:
    - condition: $statusCode == 200
  - stepId: describeSecret
    description: >-
      Read the secret metadata back to confirm the tags were applied.
    operationId: DescribeSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.DescribeSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $inputs.SecretId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretArn: $response.body#/ARN
      tags: $response.body#/Tags
  outputs:
    secretArn: $steps.describeSecret.outputs.secretArn
    tags: $steps.describeSecret.outputs.tags