USE AWS SECRETS MANAGER
Prerequisites
- AWS credentials available via the default credential chain (environment
variables,
~/.aws/credentials, or IAM role) - IAM permissions:
secretsmanager:GetSecretValue,secretsmanager:PutSecretValue,secretsmanager:CreateSecret,secretsmanager:ListSecrets
Pull the Extension
swamp extension pull @swamp/aws-smCreate the Vault
swamp vault create @swamp/aws-sm my-aws-vault \
--config '{"region": "us-east-1"}'INF vault·create Created vault: "my-aws-vault" ("AWS Secrets Manager")Store Secrets
swamp vault put my-aws-vault api-key sk-live-abc123
swamp vault put my-aws-vault db-password s3cret-p4ssSecret keys map directly to AWS Secrets Manager secret names, including
path-style names such as myapp/production/db-password.
Annotate Secrets (Optional)
If the provider version supports annotations, attach provenance metadata to stored secrets.
swamp vault annotate my-aws-vault api-key \
--url https://console.aws.amazon.com/iam/home#/users/deploy \
--notes "Prod deploy key, rotated quarterly" \
--label env=prod --label team=infraOnly the fields you specify are updated. To add a label without changing the URL or notes:
swamp vault annotate my-aws-vault api-key --label rotation=quarterlyTo remove a label:
swamp vault annotate my-aws-vault api-key --remove-label rotationTo remove all annotations from a secret:
swamp vault annotate my-aws-vault api-key --clearInspect Annotations
swamp vault inspect my-aws-vault api-keyINF vault·inspect Annotation for "api-key" in vault "my-aws-vault":
INF vault·inspect url: "https://console.aws.amazon.com/iam/home#/users/deploy"
INF vault·inspect notes: "Prod deploy key, rotated quarterly"
INF vault·inspect label: "env"="prod"
INF vault·inspect label: "team"="infra"
INF vault·inspect updated: "2026-05-23T02:04:58.668Z"Use --json for structured output.
Reference Secrets in Models
globalArguments:
api_key: "${{ vault.get('my-aws-vault', 'api-key') }}"See the Vaults reference for CEL integration, environment variable mounting, and the full CLI command reference.