How to use Boto3 to remove tags in specified AWS secrets

AWS Secrets Manager allows you to store and manage sensitive information like database credentials and API keys. Using boto3, Python's AWS SDK, you can programmatically remove tags from secrets to manage metadata and organization.

Prerequisites

Before using this code, ensure you have ?

• AWS credentials configured (via AWS CLI, environment variables, or IAM roles)
• Boto3 library installed: pip install boto3
• Proper IAM permissions for Secrets Manager operations

Algorithm

• Step 1: Import boto3 and botocore exceptions to handle errors.

• Step 2: Define function parameters: secret_location (secret ARN or name) and tags_list (list of tag keys to remove).

• Step 3: Create AWS session with proper region configuration.

• Step 4: Create Secrets Manager client using secretsmanager service.

• Step 5: Use untag_resource() method with SecretId and TagKeys parameters.

• Step 6: Handle exceptions and return response metadata.

Example

The following code demonstrates how to remove tags from an AWS secret ?

import boto3
from botocore.exceptions import ClientError

def remove_tags_in_resource(secret_location, tags_list):
    """
    Remove tags from AWS Secrets Manager secret
    
    Args:
        secret_location (str): Secret ARN or name
        tags_list (list): List of tag keys to remove
    
    Returns:
        dict: Response metadata from AWS
    """
    session = boto3.session.Session()
    client = session.client('secretsmanager')
    
    try:
        response = client.untag_resource(
            SecretId=secret_location,
            TagKeys=tags_list
        )
        return response
    except ClientError as e:
        raise Exception(f"boto3 client error in remove_tags_in_resource: {e}")
    except Exception as e:
        raise Exception(f"Unexpected error in remove_tags_in_resource: {e}")

# Example usage
tags_to_remove = ["environment", "project"]
secret_name = "my-database-credentials"

try:
    result = remove_tags_in_resource(secret_name, tags_to_remove)
    print("Tags removed successfully:")
    print(result)
except Exception as e:
    print(f"Error: {e}")

Output

Tags removed successfully:
{'ResponseMetadata': {'RequestId': 'c9f418b0-***************-fb96', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Fri, 02 Apr 2021 08:04:54 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '27', 'connection': 'keep-alive', 'x-amzn-requestid': 'c9f418b0-******************-fb96'}, 'RetryAttempts': 0}}

Key Points

• Service Name: Use 'secretsmanager' (not 'secretmanager') when creating the client
• Error Handling: Always wrap API calls in try-except blocks to handle AWS service errors
• Tag Keys: Only provide tag keys (not key-value pairs) in the TagKeys list
• Permissions: Ensure your AWS credentials have secretsmanager:UntagResource permission

Conclusion

Using boto3's untag_resource() method provides a simple way to remove tags from AWS Secrets Manager resources. Always implement proper error handling and ensure you have the necessary IAM permissions for tag management operations.