Description
Creates a new secret in AWS Secrets Manager
Input Schema
| Property | Type | Description | Required |
|---|---|---|---|
| name | string | - | |
| tags | array | - | |
| value | string | - | |
| region | string | - | |
| profile | string | - | |
| description | string | - |
Output Schema
No output schema defined for this action.
Usage Examples
Create a database password secret during service scaffolding
Creates a secret for a service database password with a clear naming convention and tags. Use this right after fetch:template and before publish:github.
steps:
- id: fetch-template
action: fetch:template
input:
url: ./template
targetPath: ./workspace
values:
serviceName: ${{ parameters.serviceName }}
owner: ${{ parameters.owner }}
- id: create-db-password-secret
action: roadiehq:aws:secrets-manager:create
input:
name: /services/${{ parameters.serviceSlug }}/db/password
region: ${{ parameters.awsRegion }}
description: Database password for ${{ parameters.serviceName }}. Managed by Backstage.
value: ${{ parameters.dbPassword }}
tags:
- Key: Environment
Value: prod
- Key: Service
Value: ${{ parameters.serviceSlug }}
- Key: Owner
Value: platform-team
- id: publish-repo
action: publish:github
input:
repoUrl: github.com?owner=acme-inc&repo=${{ parameters.repoName }}Pre-provision an empty secret for a CI token in a separate AWS account
Creates a placeholder secret with no value using a specific AWS profile, so your CI pipeline can set it later. Place this between fetch:template and publish:github.
steps:
- id: fetch-template
action: fetch:template
input:
url: ./template
targetPath: ./workspace
values:
serviceName: ${{ parameters.serviceName }}
- id: create-ci-token-secret
action: roadiehq:aws:secrets-manager:create
input:
name: /services/${{ parameters.serviceSlug }}/ci/github-token
region: ${{ parameters.awsRegion }}
description: Placeholder for CI GitHub token. Value will be set by the pipeline.
profile: ${{ parameters.awsProfile }}
tags:
- Key: Environment
Value: staging
- Key: Service
Value: ${{ parameters.serviceSlug }}
- Key: ManagedBy
Value: Backstage
- id: publish
action: publish:github
input:
repoUrl: github.com?owner=acme-inc&repo=${{ parameters.repoName }}Store JSON credentials for an external API
Stores a JSON blob as a single secret value for external API credentials. Use when the parameter collects JSON from the user and you want a consistent secret path before publish:github.
steps:
- id: fetch-code
action: fetch:template
input:
url: ./skeleton
targetPath: ./workspace
values:
serviceName: ${{ parameters.serviceName }}
- id: create-api-credentials-secret
action: roadiehq:aws:secrets-manager:create
input:
name: /services/${{ parameters.serviceSlug }}/${{ parameters.environment }}/external-api/credentials
region: eu-west-1
description: External API credentials used by ${{ parameters.serviceName }}.
value: ${{ parameters.externalApiCredentialsJson }}
tags:
- Key: Environment
Value: ${{ parameters.environment }}
- Key: Type
Value: api
- Key: Owner
Value: ${{ parameters.owner }}
- id: publish
action: publish:github
input:
repoUrl: github.com?owner=acme-inc&repo=${{ parameters.repoName }}Create a GitHub webhook secret for a service
Creates a simple secret value for a GitHub webhook shared secret in us-west-2. Add this after fetch:template so the secret path includes your service identifier.
steps:
- id: fetch
action: fetch:template
input:
url: ./template
targetPath: ./workspace
values:
serviceSlug: ${{ parameters.serviceSlug }}
- id: create-webhook-secret
action: roadiehq:aws:secrets-manager:create
input:
name: /services/${{ parameters.serviceSlug }}/webhooks/github/secret
region: us-west-2
description: GitHub webhook secret for validating payload signatures.
value: ${{ parameters.githubWebhookSecret }}
tags:
- Key: Service
Value: ${{ parameters.serviceSlug }}
- Key: Purpose
Value: webhook
- id: publish
action: publish:github
input:
repoUrl: github.com?owner=acme-inc&repo=${{ parameters.repoName }}Create environment-specific API key secrets using a selected AWS profile
Creates an environment-scoped API key secret in ap-southeast-2 using a specific AWS profile for cross-account creation. Use this when teams choose the target account in the template form, between fetch:template and publish:github.
steps:
- id: fetch-template
action: fetch:template
input:
url: ./skeleton
targetPath: ./workspace
values:
serviceSlug: ${{ parameters.serviceSlug }}
environment: ${{ parameters.environment }}
- id: create-env-api-key-secret
action: roadiehq:aws:secrets-manager:create
input:
name: /services/${{ parameters.serviceSlug }}/${{ parameters.environment }}/third-party/api-key
region: ap-southeast-2
description: Third-party API key for ${{ parameters.serviceSlug }} in ${{ parameters.environment }}.
value: ${{ parameters.thirdPartyApiKey }}
profile: ${{ parameters.awsProfile }}
tags:
- Key: Environment
Value: ${{ parameters.environment }}
- Key: Compliance
Value: pii-none
- Key: Owner
Value: ${{ parameters.owner }}
- id: publish
action: publish:github
input:
repoUrl: github.com?owner=acme-inc&repo=${{ parameters.repoName }}