Get Roadie in your IDE with our new MCP Servers
Roadie
Backstage Scaffolder Actions

Create Secrets Manager Secret

Action ID: harmonix:create-secret
NPM Package:

@aws/plugin-scaffolder-backend-aws-apps-for-backstage

Description

Creates secret in Secrets Manager

Input Schema

PropertyTypeDescriptionRequired
tagsarray-
regionstring-
secretNamestring-
descriptionstring-

Output Schema

PropertyTypeDescriptionRequired
awsSecretArnstring-

Usage Examples

Create a service database password secret with description and tags

Creates a service-specific secret in the default AWS region. Use this when bootstrapping a new service and you want a named secret with basic metadata.

Copy 
steps:
  - id: fetchBase
    name: Fetch skeleton
    action: fetch:template
    input:
      url: ./skeletons/service
      targetPath: .
      values:
        name: ${{ parameters.componentId }}
        owner: ${{ parameters.owner }}

  - id: createDbSecret
    name: Create DB password secret
    action: harmonix:create-secret
    input:
      secretName: ${{ parameters.componentId }}-db-password
      description: Database password for ${{ parameters.componentId }}
      tags:
        - Key: Environment
          Value: development
        - Key: Owner
          Value: ${{ parameters.owner }}

  - id: logArn
    name: Log created secret ARN
    action: debug:log
    input:
      message: Created secret ARN ${{ steps.createDbSecret.output.awsSecretArn }}

  - id: publishRepo
    name: Publish to GitHub
    action: publish:github
    input:
      repoUrl: github.com?owner=${{ parameters.repoOwner }}&repo=${{ parameters.componentId }}
      defaultBranch: main
      repoVisibility: private

This example references fetch:template, debug:log, and publish:github.

Create a production API key secret in a specific AWS region

Creates a production secret in us-west-2 with tagging. Use this when you need the secret to live in a specific region for latency or compliance.

Copy 
steps:
  - id: fetchBase
    name: Fetch service template
    action: fetch:template
    input:
      url: ./templates/node-service
      targetPath: .
      values:
        name: ${{ parameters.componentId }}
        system: ${{ parameters.system }}

  - id: createProdApiKey
    name: Create prod API key secret
    action: harmonix:create-secret
    input:
      secretName: ${{ parameters.componentId }}-prod-api-key
      description: Production API key for ${{ parameters.componentId }}
      region: us-west-2
      tags:
        - Key: Environment
          Value: production
        - Key: Service
          Value: ${{ parameters.componentId }}
        - Key: Compliance
          Value: pci

  - id: register
    name: Register in catalog
    action: catalog:register
    input:
      catalogInfoUrl: https://github.com/${{ parameters.repoOwner }}/${{ parameters.componentId }}/blob/main/catalog-info.yaml

This example references fetch:template and catalog:register.

Parameterized secret name per environment

Builds the secret name from template parameters so each environment gets its own secret. Use this when creating staging resources alongside production.

Copy 
steps:
  - id: fetchBase
    name: Fetch base template
    action: fetch:template
    input:
      url: ./templates/service
      targetPath: .
      values:
        name: ${{ parameters.componentId }}
        env: ${{ parameters.environment }}

  - id: createEnvSecret
    name: Create environment-specific secret
    action: harmonix:create-secret
    input:
      secretName: ${{ parameters.componentId }}-${{ parameters.environment }}-oauth-client-secret
      description: OAuth client secret for ${{ parameters.componentId }} in ${{ parameters.environment }}
      tags:
        - Key: Environment
          Value: ${{ parameters.environment }}
        - Key: Owner
          Value: ${{ parameters.owner }}
        - Key: Project
          Value: ${{ parameters.project }}

  - id: logArn
    name: Log secret ARN
    action: debug:log
    input:
      message: Secret for ${{ parameters.environment }} created at ${{ steps.createEnvSecret.output.awsSecretArn }}

This example references fetch:template and debug:log.

Create a region-parameterized secret and publish the repo

Creates a secret in a region chosen by the user and then publishes the repository. Use this when teams deploy to different AWS regions.

Copy 
steps:
  - id: fetchBase
    name: Fetch template
    action: fetch:template
    input:
      url: ./templates/python-service
      targetPath: .
      values:
        name: ${{ parameters.componentId }}

  - id: createRegionalSecret
    name: Create regional GitHub token secret
    action: harmonix:create-secret
    input:
      secretName: ${{ parameters.componentId }}-${{ parameters.region }}-github-token
      description: GitHub token for CI in ${{ parameters.region }}
      region: ${{ parameters.region }}
      tags:
        - Key: Environment
          Value: ci
        - Key: Region
          Value: ${{ parameters.region }}
        - Key: Owner
          Value: ${{ parameters.owner }}

  - id: publishRepo
    name: Publish repository
    action: publish:github
    input:
      repoUrl: github.com?owner=${{ parameters.repoOwner }}&repo=${{ parameters.componentId }}
      defaultBranch: ${{ parameters.defaultBranch }}
      repoVisibility: internal

This example references fetch:template and publish:github.

Minimal secret creation with only the required input

Creates a secret with only the name, relying on the default AWS region and no tags. Use this for quick prototypes or internal tools.

Copy 
steps:
  - id: fetchBase
    name: Fetch quickstart template
    action: fetch:template
    input:
      url: ./quickstarts/service
      targetPath: .
      values:
        name: ${{ parameters.componentId }}

  - id: createMinimalSecret
    name: Create minimal secret
    action: harmonix:create-secret
    input:
      secretName: ${{ parameters.componentId }}-internal-token

  - id: logArn
    name: Log ARN
    action: debug:log
    input:
      message: Minimal secret created at ${{ steps.createMinimalSecret.output.awsSecretArn }}

This example references fetch:template and debug:log.

Other actions in @aws/plugin-scaffolder-backend-aws-apps-for-backstage

Retrieve AWS SSM Parameters

Retreive AWS SSM parameter values so that their configurations can be used by other template actions

Dry run

Publish Repository To GitLab

Initializes a git repository of the content in the workspace, and publishes it to GitLab.

4 inputs, 0 outputs
Dry run

Run Example Action

Runs an example action

1 input, 0 outputs

Set Component Info

Sets useful component info for other actions to use

Dry run

Retrieve AWS Environment Providers

Retrieves AWS Environment Provider data

Dry run

Harmonix Platform Metadata

Retrieve data about the Harmonix on AWS platform

0 inputs, 1 output
Dry run

Retrieve SSM Platform Parameters

Retrieve AWS SSM parameter values for platform configurations can be used by other template actions

Dry run

Write File Content

Writes supplied content to a file at the specified location

Dry run