Secrets Manager
Overview
Section titled “Overview”CloudMock emulates AWS Secrets Manager, providing secret lifecycle management including creation, retrieval, versioning, deletion with restore capability, and tagging.
Supported Operations
Section titled “Supported Operations”| Operation | Status | Notes |
|---|---|---|
| CreateSecret | Supported | Creates a secret with string or binary value |
| GetSecretValue | Supported | Returns the current secret value |
| PutSecretValue | Supported | Adds a new version of the secret |
| UpdateSecret | Supported | Updates secret metadata (description, KMS key) |
| DeleteSecret | Supported | Marks the secret for deletion (immediate in emulator) |
| RestoreSecret | Supported | Cancels a pending deletion |
| DescribeSecret | Supported | Returns secret metadata without the value |
| ListSecrets | Supported | Returns all secrets |
| TagResource | Supported | Adds tags to a secret |
| UntagResource | Supported | Removes tags from a secret |
Quick Start
Section titled “Quick Start”# Create a secretcurl -X POST http://localhost:4566 \ -H "X-Amz-Target: secretsmanager.CreateSecret" \ -H "Content-Type: application/x-amz-json-1.1" \ -d '{"Name": "/app/db-password", "SecretString": "supersecret"}'
# Get secret valuecurl -X POST http://localhost:4566 \ -H "X-Amz-Target: secretsmanager.GetSecretValue" \ -H "Content-Type: application/x-amz-json-1.1" \ -d '{"SecretId": "/app/db-password"}'Node.js
Section titled “Node.js”import { SecretsManagerClient, CreateSecretCommand, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
const sm = new SecretsManagerClient({ endpoint: 'http://localhost:4566', region: 'us-east-1', credentials: { accessKeyId: 'test', secretAccessKey: 'test' },});
await sm.send(new CreateSecretCommand({ Name: '/app/db-password', SecretString: 'supersecret',}));
const { SecretString } = await sm.send(new GetSecretValueCommand({ SecretId: '/app/db-password',}));console.log(SecretString); // supersecretPython
Section titled “Python”import boto3, json
sm = boto3.client('secretsmanager', endpoint_url='http://localhost:4566', aws_access_key_id='test', aws_secret_access_key='test', region_name='us-east-1')
sm.create_secret( Name='/app/config', SecretString=json.dumps({'host': 'db.local', 'password': 's3cr3t'}),)
response = sm.get_secret_value(SecretId='/app/config')config = json.loads(response['SecretString'])print(config['host']) # db.localConfiguration
Section titled “Configuration”services: secretsmanager: enabled: trueNo additional service-specific configuration is required.
Known Differences from AWS
Section titled “Known Differences from AWS”- Secret versioning is tracked via version IDs but only the latest version is accessible without specifying a version ID.
- Automatic rotation is not implemented.
- Binary secrets (
SecretBinary) are stored but returned as-is without base64 processing. - Resource policies on secrets are not supported.
- Replication to other regions is not implemented.
Error Codes
Section titled “Error Codes”| Code | HTTP Status | Description |
|---|---|---|
| ResourceNotFoundException | 400 | The specified secret does not exist |
| ResourceExistsException | 400 | A secret with this name already exists |
| InvalidParameterException | 400 | An input parameter is invalid |
| InvalidRequestException | 400 | The request is not valid (e.g., deleting an already-deleted secret) |