Secrets Manager Secret ARN — Secret Identification

Secrets Manager ARN with Random Suffix

AWS Secrets Manager secret ARNs include a random 6-character suffix appended to the secret name, making each secret's ARN globally unique within the account.

Example ARN

arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/database/credentials-AbCdEf

Parsed Components

Component	Value
Partition	aws
Service	secretsmanager
Region	us-east-1
Account ID	123456789012
Resource Type	secret
Resource ID	prod/database/credentials-AbCdEf

The Random Suffix

The -AbCdEf at the end is a random 6-character suffix generated by Secrets Manager when the secret is created. This suffix prevents ARN collisions if a secret is deleted and a new one is created with the same name. The suffix is part of the ARN but not part of the secret name.

Secret Name Hierarchy

Secret names can include forward slashes to create a hierarchical namespace:

• prod/database/credentials
• staging/api/third-party-key
• shared/certificates/wildcard-cert

This hierarchy is useful for organizing secrets and writing IAM policies that grant access to an entire "path":

{
  "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/*"
}

Version Stages

Secrets Manager supports version stages (AWSCURRENT, AWSPREVIOUS, AWSPENDING) for secret rotation. These are not part of the ARN — they are specified as parameters when retrieving the secret value.

Cross-Account Secret Sharing

Secrets Manager supports resource-based policies that use ARNs to grant cross-account access, allowing a secret in one account to be read by roles in another account.