How to programmatically create AWS Secrets Manager secrets using boto3

When using the Python boto3 library to programmatically create secrets in AWS Secrets Manager within a DuploCloud tenant, you may encounter authorization errors even if your application can read existing secrets. This is because creating secrets requires additional permissions and specific tags. Required IAM Permissions Ensure your IAM role or user has the following minimum permissions: secretsmanager:CreateSecret secretsmanager:PutSecretValue secretsmanager:UpdateSecret secretsmanager:DescribeSecret secretsmanager:GetSecretValue If your secrets are encrypted with AWS KMS, you'll also need these permissions: kms:Encrypt kms:Decrypt kms:GenerateDataKey Required Tags for DuploCloud Tenants When creating secrets in a DuploCloud tenant, you must include specific tags as the tenant IAM role has access permissions based on tags. Include the following tags when creating your secret: duplo-project= TENANT_NAME= duplo_lifecycle_owner=duplo Replace with your actual tenant name (e.g., treasury-dev ). Example Implementation When using boto3 to create a secret, make sure to include the required tags in your CreateSecret operation. Without these tags, the creation will fail with an AccessDeniedException error. The tags ensure that the DuploCloud tenant's IAM permissions can properly authorize the secret creation operation.