feat(secrets-manager): add AWS Secrets Manager integration

[waleedlatif1]

Summary

• Add AWS Secrets Manager integration with 5 operations: get, list, create, update, delete
• Includes tools, block, API routes, icon, and docs
• Uses @aws-sdk/client-secrets-manager SDK with UpdateSecretCommand for proper description support

Type of Change

• New feature

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[cursor]

PR Summary

High Risk
Introduces new server-side endpoints that accept AWS credentials and perform secret CRUD operations, which is security- and data-sensitive. Incorrect auth/validation or logging could expose or delete secrets.

Overview
Adds a new AWS Secrets Manager integration (secrets_manager) end-to-end: new tool configs registered in apps/sim/tools/registry.ts, a new SecretsManagerBlock with operation-driven parameter mapping, and a new set of authenticated Next.js API routes for get/list/create/update/delete backed by @aws-sdk/client-secrets-manager.

Updates docs and UI metadata to surface the integration (new secrets_manager.mdx, meta.json entry, integration listing JSON, and icon mapping), and introduces a new SecretsManagerIcon used in both docs and the Sim integrations UI.

^{Written by Cursor Bugbot for commit cb3a6af. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 31, 2026 9:41pm

[greptile-apps]

Greptile Summary

This PR adds a full AWS Secrets Manager integration with five operations (get, list, create, update, delete), following the established tool → API route → AWS SDK pattern already used by S3, SQS, and similar blocks. The structure is consistent with the rest of the codebase: typed params/response interfaces in types.ts, per-operation ToolConfig files, Next.js API routes backed by a shared utils.ts, and a BlockConfig wiring them all together.

Previous review concerns (binary-secret silent empty return, incorrect force-delete log message) have been correctly addressed. The remaining findings are both style-level:

• secretValue is unmasked in the UI — the block's secretValue sub-block uses type: 'code' without password: true, so the actual secret content (passwords, API keys, JSON credentials) is displayed in plain text whenever the workflow is opened or shared. AWS credential fields (accessKeyId, secretAccessKey) are correctly masked; the same treatment should apply to secretValue.
• Inaccurate client-side fallback message in delete_secret.ts — the fallback string 'Secret scheduled for deletion' is never reached in practice (the API always returns a message), but it would be wrong if forceDelete: true was in effect.

Confidence Score: 5/5

Safe to merge; all remaining findings are P2 style/UX suggestions with no runtime impact.

Previously flagged P1 issues (binary secret detection, force-delete message correctness) have both been resolved. The only remaining items are a misleading-but-unreachable fallback string and an unmasked UI input — neither affects correctness or data integrity at runtime.

apps/sim/blocks/blocks/secrets_manager.ts (secretValue masking) and apps/sim/tools/secrets_manager/delete_secret.ts (fallback message)

Important Files Changed

Filename	Overview
apps/sim/app/api/tools/secrets_manager/utils.ts	Core AWS SDK wrapper — correctly handles binary secret detection, mutual exclusivity of ForceDeleteWithoutRecovery / RecoveryWindowInDays, and client cleanup via destroy().
apps/sim/blocks/blocks/secrets_manager.ts	Block definition for all 5 operations; secretValue sub-block uses type: 'code' without password: true, exposing sensitive secret content in the UI.
apps/sim/tools/secrets_manager/delete_secret.ts	Delete tool definition; client-side fallback message 'Secret scheduled for deletion' is inaccurate when forceDelete: true is used, though it is never triggered in the success path.
apps/sim/app/api/tools/secrets_manager/delete-secret/route.ts	Delete route; correctly sets conditional response message based on forceDelete flag (previously flagged issue resolved).
apps/sim/tools/secrets_manager/types.ts	Type definitions for all 5 operations; well-structured with proper nullable/optional fields and correct separation of connection config from operation params.
apps/sim/tools/registry.ts	All 5 secrets manager tools correctly registered with consistent secrets_manager_* key naming.

Sequence Diagram

sequenceDiagram
    participant UI as Block UI
    participant Block as secrets_manager.ts (block)
    participant Tool as ToolConfig (tools/secrets_manager/*)
    participant Route as /api/tools/secrets_manager/*
    participant Utils as utils.ts
    participant AWS as AWS Secrets Manager

    UI->>Block: User selects operation + fills params
    Block->>Tool: config.tool(params) → tool ID<br/>config.params(params) → cleaned params
    Tool->>Route: POST (region, accessKeyId, secretAccessKey, …)
    Route->>Route: checkInternalAuth()
    Route->>Route: ZodSchema.parse(body)
    Route->>Utils: createSecretsManagerClient(config)
    Utils-->>Route: SecretsManagerClient
    Route->>Utils: getSecretValue / listSecrets / createSecret / updateSecretValue / deleteSecret
    Utils->>AWS: SDK Command (GetSecretValueCommand, etc.)
    AWS-->>Utils: Response
    Utils-->>Route: Typed result object
    Route->>Route: client.destroy()
    Route-->>Tool: NextResponse.json(result)
    Tool->>Tool: transformResponse() → { success, output }
    Tool-->>Block: output fields (name, secretValue, arn, …)
    Block-->>UI: Workflow outputs

Loading

_{Reviews (3): Last reviewed commit: "fix(secrets-manager): handle boolean for..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR