Secrets Manager

Quick Reference

# List secrets
aws secretsmanager list-secrets --query 'SecretList[].[Name,Description]' --output table

# Get secret metadata (NOT the value)
aws secretsmanager describe-secret --secret-id staging/CloudFlareApiToken

Do not read secret values unless you have explicit authorization.

Key Secrets

Secret Name Pattern	Purpose	Used By
`{env}/CloudFlareApiToken`	Cloudflare API token	Settings exporter, merchandising exporter, admin Lambda
`{env}/shopify-app-secret-key`	Shopify app secret	Shopify admin Lambda
`{env}/api_key_encryption_key_secret`	API key encryption	Admin Lambda, controller
`{env}/ShopifyCustomAppSecrets`	Shopify custom app credentials	Shopify admin Lambda
`{env}/metrics-queue-access-key`	AWS credentials for SQS writes	Cloudflare search_proxy worker
`{env}/agentic-search-access-key`	AWS credentials for DDB reads	Cloudflare agentic_search worker
`{env}/CloudController`	Controller config bundle (Cognito IDs, Stripe keys, etc.)	Controller EBS
`{env}/EncryptionSecretKey`	API key encryption	Controller EBS
`{env}/cognito_client_secret`	Cognito pool client secret	Console monolith

What to Look For

Symptom	Check
Auth failures in Lambda	Verify the secret exists: `aws secretsmanager describe-secret --secret-id {name}`
Cloudflare KV sync broken	Check `{env}/CloudFlareApiToken` exists and is not scheduled for deletion
Search proxy can't write metrics	Check `{env}/metrics-queue-access-key` exists

Quick Reference​

Key Secrets​

What to Look For​

Quick Reference

Key Secrets

What to Look For