Skip to content

Secrets Manager

Quick Reference

# List secrets
aws secretsmanager list-secrets --query 'SecretList[].[Name,Description]' --output table

# Get secret metadata (NOT the value)
aws secretsmanager describe-secret --secret-id staging/CloudFlareApiToken

Do not read secret values unless you have explicit authorization.

Key Secrets

Secret Name Pattern Purpose Used By
{env}/CloudFlareApiToken Cloudflare API token Settings exporter, merchandising exporter, admin Lambda
{env}/shopify-app-secret-key Shopify app secret Shopify admin Lambda
{env}/api_key_encryption_key_secret API key encryption Admin Lambda, controller
{env}/ShopifyCustomAppSecrets Shopify custom app credentials Shopify admin Lambda
{env}/metrics-queue-access-key AWS credentials for SQS writes Cloudflare search_proxy worker
{env}/agentic-search-access-key AWS credentials for DDB reads Cloudflare agentic_search worker
{env}/CloudController Controller config bundle (Cognito IDs, Stripe keys, etc.) Controller EBS
{env}/EncryptionSecretKey API key encryption Controller EBS
{env}/cognito_client_secret Cognito pool client secret Console monolith

What to Look For

Symptom Check
Auth failures in Lambda Verify the secret exists: aws secretsmanager describe-secret --secret-id {name}
Cloudflare KV sync broken Check {env}/CloudFlareApiToken exists and is not scheduled for deletion
Search proxy can't write metrics Check {env}/metrics-queue-access-key exists