From aws-core
Prevents AI agents from directly fetching AWS Secrets Manager secrets by teaching runtime dynamic references with asm-exec, keeping plaintext out of the LLM context window.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aws-core:aws-secrets-managerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
When AI agents handle secrets, credentials, API keys, tokens, or passwords with
When AI agents handle secrets, credentials, API keys, tokens, or passwords with
shell or AWS API access, they can call aws secretsmanager get-secret-value
and receive plaintext values in their context window. This creates risk:
secrets may leak into logs, conversation history, or downstream tool calls.
This skill teaches a safer pattern: dynamic references resolved at runtime
by a wrapper script (asm-exec), so the agent never sees the secret value.
Best-effort defense, not a security boundary. This prevents the most common leakage path but cannot stop all evasion vectors. Combine with IAM least-privilege, CloudTrail monitoring, and VPC endpoint policies.
You MUST follow these rules when working with secrets:
get-secret-value or batch-get-secret-value -- not via AWS
CLI, SDK, MCP tools, curl, or any other mechanism.{{resolve:secretsmanager:...}} references -- these are
resolved at runtime by asm-exec without exposing values to you.{{resolve:...}} Syntax{{resolve:secretsmanager:<secret-id>:<field-type>:<json-key>:<version-stage>}}
| Component | Required | Default | Example |
|---|---|---|---|
secret-id | Yes | -- | prod/db-creds or full ARN |
field-type | No | SecretString | SecretString |
json-key | No | (full value) | password |
version-stage | No | AWSCURRENT | AWSPENDING |
asm-execasm-exec is a wrapper that resolves {{resolve:...}} references in command
arguments and environment variables, then execs the target command. The secret
value exists only in the child process -- never in the agent's context.
# Pass a database password to psql without exposing it
asm-exec -- psql \
"host=mydb.example.com \
user={{resolve:secretsmanager:prod/db-creds:SecretString:username}} \
password={{resolve:secretsmanager:prod/db-creds:SecretString:password}}" \
-c "SELECT * FROM users LIMIT 10"
# Use default field-type (SecretString) and full value (no json-key)
asm-exec -- curl -H "Authorization: Bearer {{resolve:secretsmanager:prod/api-token}}" \
https://api.example.com/data
# Multiple secrets in one command
asm-exec -- mysql \
-h {{resolve:secretsmanager:prod/mysql:SecretString:host}} \
-u {{resolve:secretsmanager:prod/mysql:SecretString:username}} \
-p{{resolve:secretsmanager:prod/mysql:SecretString:password}} \
-e "SHOW TABLES"
{{resolve:...}} patternshttps://aws-mcp.us-east-1.api.aws/mcp), calling the
aws___call_aws tool over a SigV4-signed requestAWS_REGION / AWS_DEFAULT_REGION, and passes it to the resolverre.sub with a callable (single-pass --
prevents re-scan injection if a secret value contains {{resolve:...}})subprocess.run -- secret values exist only in the
asm-exec process, never in the agent's context windowNo local AWS CLI fallback for resolution.
asm-execdoes not shell out toaws secretsmanager get-secret-valueto resolve references. Resolution happens only through SMA or the MCP endpoint, so the plaintext value is never written to a local process's stdout where it could be captured.
The MCP endpoint authenticates every tool call with AWS SigV4. asm-exec signs
requests itself using only the Python standard library (hashlib/hmac) -- it
does not depend on botocore or spin up the mcp-proxy-for-aws proxy, keeping
the wrapper a lightweight ephemeral process. The signing service and region are
inferred from the endpoint hostname (e.g. aws-mcp.us-east-1.api.aws ->
service aws-mcp, region us-east-1); this signing region is independent of the
secret's own region, which is passed as --region to the server-side CLI command.
Credentials for signing are resolved in order: environment variables
(AWS_ACCESS_KEY_ID etc.), aws configure export-credentials (AWS CLI v2), then
aws configure get (AWS CLI v1).
Either backend must be reachable, with credentials that have
secretsmanager:GetSecretValue permission:
AWS_REGION (or use a full ARN) so the correct
region is targeted.See SMA setup guide.
asm-exec -- psql "postgresql://{{resolve:secretsmanager:prod/db:SecretString:username}}:{{resolve:secretsmanager:prod/db:SecretString:password}}@db.example.com:5432/mydb"
asm-exec -- docker run -e "DB_PASSWORD={{resolve:secretsmanager:prod/db:SecretString:password}}" myapp:latest
# Generate config with resolved secrets, write to file
asm-exec -- sh -c 'echo "password={{resolve:secretsmanager:app/db:SecretString:password}}" > /tmp/app.conf'
When the aws-core plugin is enabled, a PreToolUse hook automatically blocks
any attempt to call get-secret-value or batch-get-secret-value -- via AWS CLI,
MCP tools, or direct SMA access. No manual configuration needed.
The hook is defined at plugins/aws-core/hooks/hooks.json and activates
automatically when the plugin is installed.
Verify the secret exists and your IAM role has secretsmanager:GetSecretValue
permission. Check the secret name matches exactly (case-sensitive).
The Secrets Manager Agent may not be running. This is non-fatal: asm-exec
falls through to the SigV4-signed MCP endpoint. Ensure AWS credentials are
resolvable (see SigV4 signing above) so that backend can authenticate.
Both backends were unreachable or returned no value. Check that either SMA is
running or AWS credentials are valid (aws sts get-caller-identity), that the
secret's region is correct (set AWS_REGION or use a full ARN), and that your
identity has secretsmanager:GetSecretValue on the secret. A 401 from the MCP
endpoint indicates a SigV4 signing or credential problem, not a missing secret.
The JSON key may not exist in the secret value. Verify the secret structure in the AWS Console or ask the secret owner to confirm the available keys.
npx claudepluginhub arnewouters/agent-toolkit-for-aws --plugin aws-core5plugins reuse this skill
First indexed Jun 18, 2026
Prevents AI agents from directly fetching AWS Secrets Manager secrets by teaching runtime dynamic references with asm-exec, keeping plaintext out of the LLM context window.
Manages cloud secrets with AWS SSM Parameter Store and Secrets Manager: rotation, access control, environment injection, and audit logging.
Stores, retrieves, and rotates secrets in AWS Secrets Manager. Covers CLI and boto3 patterns for creating secrets, fetching credentials, and configuring automatic rotation with RDS.