Amazon Secrets Manager · Arazzo Workflow

Amazon Secrets Manager Update Metadata and Verify

Version 1.0.0

Update a secret's description and KMS key with UpdateSecret, then describe it to confirm the new metadata was applied.

1 workflow 1 source API 1 provider

View Spec View on GitHub ConfigurationCredentialsRotationSecretsSecurityArazzoWorkflows

Provider

amazon-secrets-manager

Workflows

update-metadata-and-verify

Update a secret's description and KMS key, then confirm via DescribeSecret.

Calls UpdateSecret to change the description and KMS key of an existing secret, then calls DescribeSecret to verify the new metadata was applied.

2 steps inputs: Description, KmsKeyId, SecretId outputs: description, kmsKeyId, secretArn

updateSecret

UpdateSecret

Modify the secret's description and KMS key without changing the secret value.

describeSecret

DescribeSecret

Read the secret metadata back to confirm the description and KMS key changes were applied.

Source API Descriptions

openapi

secretsManagerApi https://raw.githubusercontent.com/api-evangelist/amazon-secrets-manager/refs/heads/main/openapi/amazon-secrets-manager-openapi.yml

Arazzo Workflow Specification

arazzo: 1.0.1
info:
  title: Amazon Secrets Manager Update Metadata and Verify
  summary: Update a secret's description and KMS key with UpdateSecret, then describe it to confirm the new metadata was applied.
  description: >-
    The metadata maintenance pattern. The workflow modifies an existing secret's
    description and the KMS key used to encrypt it with UpdateSecret, then calls
    DescribeSecret to read the metadata back and confirm the changes were
    applied without touching the secret value itself. Every step inlines the AWS
    JSON 1.1 X-Amz-Target header and request payload so the flow is
    self-describing.
  version: 1.0.0
sourceDescriptions:
- name: secretsManagerApi
  url: ../openapi/amazon-secrets-manager-openapi.yml
  type: openapi
workflows:
- workflowId: update-metadata-and-verify
  summary: Update a secret's description and KMS key, then confirm via DescribeSecret.
  description: >-
    Calls UpdateSecret to change the description and KMS key of an existing
    secret, then calls DescribeSecret to verify the new metadata was applied.
  inputs:
    type: object
    required:
    - SecretId
    - Description
    properties:
      SecretId:
        type: string
        description: The ARN or name of the secret to update.
      Description:
        type: string
        description: The new description to set on the secret.
      KmsKeyId:
        type: string
        description: The ARN, key ID, or alias of the KMS key to encrypt the secret.
  steps:
  - stepId: updateSecret
    description: >-
      Modify the secret's description and KMS key without changing the secret
      value.
    operationId: UpdateSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.UpdateSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $inputs.SecretId
        Description: $inputs.Description
        KmsKeyId: $inputs.KmsKeyId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretArn: $response.body#/ARN
      versionId: $response.body#/VersionId
  - stepId: describeSecret
    description: >-
      Read the secret metadata back to confirm the description and KMS key
      changes were applied.
    operationId: DescribeSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.DescribeSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $steps.updateSecret.outputs.secretArn
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      description: $response.body#/Description
      kmsKeyId: $response.body#/KmsKeyId
      lastChangedDate: $response.body#/LastChangedDate
  outputs:
    secretArn: $steps.updateSecret.outputs.secretArn
    description: $steps.describeSecret.outputs.description
    kmsKeyId: $steps.describeSecret.outputs.kmsKeyId