Skip to content

Commit fb3f95d

Browse files
authored
feat(aws): expand SES/STS/Secrets Manager tool coverage, fix API alignment gaps (#5450)
* feat(aws): expand SES/STS/Secrets Manager tool coverage, fix API alignment gaps - SES: add suppression list management, email identity CRUD, template update, configuration set creation, custom verification email (10 new tools); fix silent httpsPolicy drop in create_configuration_set and unvalidated suppression reason enum in list_suppressed_destinations - STS: add AssumeRoleWithWebIdentity and AssumeRoleWithSAML (unsigned, no static credentials required); extend assume_role with policyArns/tags/transitiveTagKeys session params - Secrets Manager: add describe_secret, tag_resource, untag_resource, restore_secret, rotate_secret; fix list_secrets dropping rotation/version metadata fields; normalize tool versions to 1.0.0 and alphabetize registry entries All 31 tools verified param-by-param against live AWS API docs across two independent audit passes. * fix(aws): address review findings on SES config/identity and Secrets Manager rotation - ses_create_configuration_set: validate suppressedReasons against BOUNCE/COMPLAINT enum before calling AWS (was silently reaching AWS as a generic 500 for bad values); tags now a proper Zod array schema instead of a string with route-side JSON.parse - ses_create_email_identity: dkimSigningAttributes and tags now proper Zod object/array schemas instead of strings with route-side JSON.parse, matching the pattern used elsewhere (e.g. sts_assume_role tags, secrets_manager_tag_resource) - secrets_manager_rotate_secret: reject automaticallyAfterDays and scheduleExpression when both are supplied — AWS RotationRules accepts only one - sts createUnauthenticatedSTSClient: corrected a misleading comment claiming these calls are fully unsigned; the SDK still falls through its default credential provider chain * fix(ses): correct json input types for tags/dkimSigningAttributes The SES block declared the tags and dkimSigningAttributes block inputs as 'string' instead of 'json', so the generic block executor never parsed the JSON code-editor value before forwarding it — workflow runs sent a raw JSON string where the contract now expects a structured object/array, failing validation. Also corrected the corresponding tool param TypeScript types, which were still typed as string | null. * fix(ses): stop coercing switch string 'false' to true in create_configuration_set Boolean('false') evaluates to true, so turning off the reputationMetricsEnabled or sendingEnabled switch sent the opposite of the user's choice to SES. Match the established === 'true' string comparison pattern used elsewhere in the codebase. * fix(sts): stop double-parsing assume_role session tags input tags was declared as a 'json' block input, so the generic executor JSON.parse'd it before the switch-case handler ran — but that handler already converts the raw table-rows array (or a passthrough string) into the JSON string the sts_assume_role contract expects. Declaring it 'json' broke that conversion for non-string inputs. Reverted to 'string' so the handler's existing string/array disambiguation runs on the untouched raw value. * fix(sts): supply placeholder credentials to the unauthenticated client createUnauthenticatedSTSClient omitted credentials entirely, so the SDK's signing middleware fell through the default credential provider chain and threw CredentialsProviderError before the request was sent in any environment with no ambient AWS identity — even though AssumeRoleWithWebIdentity/AssumeRoleWithSAML never check the signature. Static placeholder credentials skip that resolution without granting or requiring any real IAM identity.
1 parent f111de3 commit fb3f95d

78 files changed

Lines changed: 6182 additions & 66 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

apps/docs/content/docs/en/integrations/secrets_manager.mdx

Lines changed: 129 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ In Sim, the AWS Secrets Manager integration allows your workflows to securely re
2828

2929
## Usage Instructions
3030

31-
Integrate AWS Secrets Manager into the workflow. Can retrieve, create, update, list, and delete secrets.
31+
Integrate AWS Secrets Manager into the workflow. Can retrieve, create, update, list, delete, describe, tag, untag, restore, and rotate secrets.
3232

3333

3434

@@ -78,7 +78,7 @@ List secrets stored in AWS Secrets Manager
7878

7979
| Parameter | Type | Description |
8080
| --------- | ---- | ----------- |
81-
| `secrets` | json | List of secrets with name, ARN, description, and dates |
81+
| `secrets` | json | List of secrets with name, ARN, description, dates, rotation rules/window, and version-to-stage mappings |
8282
| `nextToken` | string | Pagination token for the next page of results |
8383
| `count` | number | Number of secrets returned |
8484

@@ -154,4 +154,131 @@ Delete a secret from AWS Secrets Manager
154154
| `arn` | string | ARN of the deleted secret |
155155
| `deletionDate` | string | Scheduled deletion date |
156156

157+
### `secrets_manager_describe_secret`
158+
159+
Retrieve full metadata for a secret in AWS Secrets Manager, including rotation configuration and replication status, without exposing the secret value
160+
161+
#### Input
162+
163+
| Parameter | Type | Required | Description |
164+
| --------- | ---- | -------- | ----------- |
165+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
166+
| `accessKeyId` | string | Yes | AWS access key ID |
167+
| `secretAccessKey` | string | Yes | AWS secret access key |
168+
| `secretId` | string | Yes | The name or ARN of the secret to describe |
169+
170+
#### Output
171+
172+
| Parameter | Type | Description |
173+
| --------- | ---- | ----------- |
174+
| `name` | string | Name of the secret |
175+
| `arn` | string | ARN of the secret |
176+
| `description` | string | Description of the secret |
177+
| `kmsKeyId` | string | KMS key ID used to encrypt the secret |
178+
| `rotationEnabled` | boolean | Whether automatic rotation is enabled |
179+
| `rotationLambdaARN` | string | ARN of the Lambda function used for rotation |
180+
| `rotationRules` | json | Rotation schedule configuration |
181+
| `lastRotatedDate` | string | Date the secret was last rotated |
182+
| `lastChangedDate` | string | Date the secret was last changed |
183+
| `lastAccessedDate` | string | Date the secret was last accessed |
184+
| `deletedDate` | string | Scheduled deletion date |
185+
| `nextRotationDate` | string | Date the secret is next scheduled to rotate |
186+
| `tags` | array | Tags attached to the secret |
187+
| `versionIdsToStages` | json | Map of version IDs to their staging labels |
188+
| `owningService` | string | ID of the AWS service that manages this secret, if any |
189+
| `createdDate` | string | Date the secret was created |
190+
| `primaryRegion` | string | The primary region of the secret, if replicated |
191+
| `replicationStatus` | array | Replication status for each region the secret is replicated to |
192+
193+
### `secrets_manager_tag_resource`
194+
195+
Attach tags to a secret in AWS Secrets Manager
196+
197+
#### Input
198+
199+
| Parameter | Type | Required | Description |
200+
| --------- | ---- | -------- | ----------- |
201+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
202+
| `accessKeyId` | string | Yes | AWS access key ID |
203+
| `secretAccessKey` | string | Yes | AWS secret access key |
204+
| `secretId` | string | Yes | The name or ARN of the secret to tag |
205+
| `tags` | json | Yes | Tags to attach, as an array of \{key, value\} pairs \(max 50\) |
206+
207+
#### Output
208+
209+
| Parameter | Type | Description |
210+
| --------- | ---- | ----------- |
211+
| `message` | string | Operation status message |
212+
| `name` | string | Name or ARN of the tagged secret |
213+
214+
### `secrets_manager_untag_resource`
215+
216+
Remove tags from a secret in AWS Secrets Manager
217+
218+
#### Input
219+
220+
| Parameter | Type | Required | Description |
221+
| --------- | ---- | -------- | ----------- |
222+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
223+
| `accessKeyId` | string | Yes | AWS access key ID |
224+
| `secretAccessKey` | string | Yes | AWS secret access key |
225+
| `secretId` | string | Yes | The name or ARN of the secret to untag |
226+
| `tagKeys` | json | Yes | Tag keys to remove, as an array of strings \(max 50\) |
227+
228+
#### Output
229+
230+
| Parameter | Type | Description |
231+
| --------- | ---- | ----------- |
232+
| `message` | string | Operation status message |
233+
| `name` | string | Name or ARN of the untagged secret |
234+
235+
### `secrets_manager_restore_secret`
236+
237+
Cancel a scheduled deletion for a secret in AWS Secrets Manager, restoring access to it
238+
239+
#### Input
240+
241+
| Parameter | Type | Required | Description |
242+
| --------- | ---- | -------- | ----------- |
243+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
244+
| `accessKeyId` | string | Yes | AWS access key ID |
245+
| `secretAccessKey` | string | Yes | AWS secret access key |
246+
| `secretId` | string | Yes | The name or ARN of the secret to restore |
247+
248+
#### Output
249+
250+
| Parameter | Type | Description |
251+
| --------- | ---- | ----------- |
252+
| `message` | string | Operation status message |
253+
| `name` | string | Name of the restored secret |
254+
| `arn` | string | ARN of the restored secret |
255+
256+
### `secrets_manager_rotate_secret`
257+
258+
Start or reconfigure rotation for a secret in AWS Secrets Manager
259+
260+
#### Input
261+
262+
| Parameter | Type | Required | Description |
263+
| --------- | ---- | -------- | ----------- |
264+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
265+
| `accessKeyId` | string | Yes | AWS access key ID |
266+
| `secretAccessKey` | string | Yes | AWS secret access key |
267+
| `secretId` | string | Yes | The name or ARN of the secret to rotate |
268+
| `clientRequestToken` | string | No | Idempotency token for the new secret version \(32-64 characters\) |
269+
| `rotationLambdaARN` | string | No | ARN of the Lambda function that performs rotation \(omit for managed rotation\) |
270+
| `automaticallyAfterDays` | number | No | Number of days between rotations \(1-1000\). Mutually exclusive with schedule expression |
271+
| `duration` | string | No | Length of the rotation window in hours, e.g. "3h" |
272+
| `scheduleExpression` | string | No | A cron\(\) or rate\(\) expression defining the rotation schedule |
273+
| `rotateImmediately` | boolean | No | Whether to rotate immediately \(default true\) or wait for the next scheduled window |
274+
275+
#### Output
276+
277+
| Parameter | Type | Description |
278+
| --------- | ---- | ----------- |
279+
| `message` | string | Operation status message |
280+
| `name` | string | Name of the secret |
281+
| `arn` | string | ARN of the secret |
282+
| `versionId` | string | ID of the new secret version created by rotation |
283+
157284

apps/docs/content/docs/en/integrations/ses.mdx

Lines changed: 229 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ In Sim, the AWS SES integration is designed for workflows that need reliable, pr
2727

2828
## Usage Instructions
2929

30-
Integrate AWS SES v2 into the workflow. Send simple, templated, and bulk emails. Manage email templates and retrieve account sending quota and verified identity information.
30+
Integrate AWS SES v2 into the workflow. Send simple, templated, and bulk emails. Manage email templates, identities, configuration sets, and the account suppression list, and retrieve account sending quota and verified identity information.
3131

3232

3333

@@ -238,4 +238,232 @@ Delete an existing SES email template
238238
| --------- | ---- | ----------- |
239239
| `message` | string | Confirmation message for the deleted template |
240240

241+
### `ses_update_template`
242+
243+
Update the subject, HTML, and text content of an existing SES email template
244+
245+
#### Input
246+
247+
| Parameter | Type | Required | Description |
248+
| --------- | ---- | -------- | ----------- |
249+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
250+
| `accessKeyId` | string | Yes | AWS access key ID |
251+
| `secretAccessKey` | string | Yes | AWS secret access key |
252+
| `templateName` | string | Yes | The name of the template to update |
253+
| `subjectPart` | string | Yes | The subject line of the template |
254+
| `htmlPart` | string | No | The HTML body of the template |
255+
| `textPart` | string | No | The plain text body of the template |
256+
257+
#### Output
258+
259+
| Parameter | Type | Description |
260+
| --------- | ---- | ----------- |
261+
| `message` | string | Confirmation message |
262+
263+
### `ses_put_suppressed_destination`
264+
265+
Add an email address to the account-level SES suppression list
266+
267+
#### Input
268+
269+
| Parameter | Type | Required | Description |
270+
| --------- | ---- | -------- | ----------- |
271+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
272+
| `accessKeyId` | string | Yes | AWS access key ID |
273+
| `secretAccessKey` | string | Yes | AWS secret access key |
274+
| `emailAddress` | string | Yes | The email address to add to the suppression list |
275+
| `reason` | string | Yes | The reason the address is suppressed: BOUNCE or COMPLAINT |
276+
277+
#### Output
278+
279+
| Parameter | Type | Description |
280+
| --------- | ---- | ----------- |
281+
| `message` | string | Confirmation message |
282+
283+
### `ses_delete_suppressed_destination`
284+
285+
Remove an email address from the account-level SES suppression list
286+
287+
#### Input
288+
289+
| Parameter | Type | Required | Description |
290+
| --------- | ---- | -------- | ----------- |
291+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
292+
| `accessKeyId` | string | Yes | AWS access key ID |
293+
| `secretAccessKey` | string | Yes | AWS secret access key |
294+
| `emailAddress` | string | Yes | The email address to remove from the suppression list |
295+
296+
#### Output
297+
298+
| Parameter | Type | Description |
299+
| --------- | ---- | ----------- |
300+
| `message` | string | Confirmation message |
301+
302+
### `ses_get_suppressed_destination`
303+
304+
Retrieve details for a specific email address on the SES suppression list
305+
306+
#### Input
307+
308+
| Parameter | Type | Required | Description |
309+
| --------- | ---- | -------- | ----------- |
310+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
311+
| `accessKeyId` | string | Yes | AWS access key ID |
312+
| `secretAccessKey` | string | Yes | AWS secret access key |
313+
| `emailAddress` | string | Yes | The suppressed email address to look up |
314+
315+
#### Output
316+
317+
| Parameter | Type | Description |
318+
| --------- | ---- | ----------- |
319+
| `emailAddress` | string | The suppressed email address |
320+
| `reason` | string | The reason the address is suppressed |
321+
| `lastUpdateTime` | string | When the address was added to the suppression list |
322+
| `messageId` | string | The message ID associated with the bounce or complaint event |
323+
| `feedbackId` | string | The feedback ID associated with the bounce or complaint event |
324+
325+
### `ses_list_suppressed_destinations`
326+
327+
List email addresses on the account-level SES suppression list
328+
329+
#### Input
330+
331+
| Parameter | Type | Required | Description |
332+
| --------- | ---- | -------- | ----------- |
333+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
334+
| `accessKeyId` | string | Yes | AWS access key ID |
335+
| `secretAccessKey` | string | Yes | AWS secret access key |
336+
| `reasons` | string | No | Comma-separated suppression reasons to filter by: BOUNCE, COMPLAINT |
337+
| `startDate` | string | No | Only include addresses suppressed after this ISO 8601 date |
338+
| `endDate` | string | No | Only include addresses suppressed before this ISO 8601 date |
339+
| `pageSize` | number | No | Maximum number of results to return |
340+
| `nextToken` | string | No | Pagination token from a previous list response |
341+
342+
#### Output
343+
344+
| Parameter | Type | Description |
345+
| --------- | ---- | ----------- |
346+
| `destinations` | array | List of suppressed destinations with email address, reason, and last update |
347+
| `nextToken` | string | Pagination token for the next page of results |
348+
| `count` | number | Number of suppressed destinations returned |
349+
350+
### `ses_create_email_identity`
351+
352+
Start verification of a new SES email address or domain identity
353+
354+
#### Input
355+
356+
| Parameter | Type | Required | Description |
357+
| --------- | ---- | -------- | ----------- |
358+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
359+
| `accessKeyId` | string | Yes | AWS access key ID |
360+
| `secretAccessKey` | string | Yes | AWS secret access key |
361+
| `emailIdentity` | string | Yes | The email address or domain to verify |
362+
| `dkimSigningAttributes` | json | No | Bring-your-own-DKIM signing attributes as JSON \(domainSigningSelector, domainSigningPrivateKey, nextSigningKeyLength\). Domain identities only. |
363+
| `tags` | json | No | JSON array of tags to associate with the identity: \[\{"key":"","value":""\}\] |
364+
| `configurationSetName` | string | No | Default configuration set to use when sending from this identity |
365+
366+
#### Output
367+
368+
| Parameter | Type | Description |
369+
| --------- | ---- | ----------- |
370+
| `identityType` | string | The identity type: EMAIL_ADDRESS or DOMAIN |
371+
| `verifiedForSendingStatus` | boolean | Whether the identity is verified and can send email |
372+
| `dkimAttributes` | json | DKIM signing status and CNAME tokens for the identity |
373+
374+
### `ses_delete_email_identity`
375+
376+
Delete a verified SES email address or domain identity
377+
378+
#### Input
379+
380+
| Parameter | Type | Required | Description |
381+
| --------- | ---- | -------- | ----------- |
382+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
383+
| `accessKeyId` | string | Yes | AWS access key ID |
384+
| `secretAccessKey` | string | Yes | AWS secret access key |
385+
| `emailIdentity` | string | Yes | The email address or domain identity to delete |
386+
387+
#### Output
388+
389+
| Parameter | Type | Description |
390+
| --------- | ---- | ----------- |
391+
| `message` | string | Confirmation message |
392+
393+
### `ses_get_email_identity`
394+
395+
Retrieve verification status, DKIM, Mail-From, and policy details for an SES identity
396+
397+
#### Input
398+
399+
| Parameter | Type | Required | Description |
400+
| --------- | ---- | -------- | ----------- |
401+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
402+
| `accessKeyId` | string | Yes | AWS access key ID |
403+
| `secretAccessKey` | string | Yes | AWS secret access key |
404+
| `emailIdentity` | string | Yes | The email address or domain identity to look up |
405+
406+
#### Output
407+
408+
| Parameter | Type | Description |
409+
| --------- | ---- | ----------- |
410+
| `identityType` | string | The identity type: EMAIL_ADDRESS or DOMAIN |
411+
| `verifiedForSendingStatus` | boolean | Whether the identity is verified and can send email |
412+
| `verificationStatus` | string | Verification status: PENDING, SUCCESS, FAILED, TEMPORARY_FAILURE, NOT_STARTED |
413+
| `feedbackForwardingStatus` | boolean | Whether bounce/complaint notifications are forwarded by email |
414+
| `configurationSetName` | string | Default configuration set for this identity |
415+
| `dkimAttributes` | json | DKIM signing status and CNAME tokens for the identity |
416+
| `mailFromAttributes` | json | Custom MAIL FROM domain configuration for the identity |
417+
| `policies` | json | Sending authorization policies attached to the identity |
418+
| `tags` | array | Tags associated with the identity |
419+
| `verificationInfo` | json | Additional verification diagnostics \(error type, last checked/success time\) |
420+
421+
### `ses_create_configuration_set`
422+
423+
Create an SES configuration set to control tracking, delivery, reputation, sending, and suppression behavior for emails
424+
425+
#### Input
426+
427+
| Parameter | Type | Required | Description |
428+
| --------- | ---- | -------- | ----------- |
429+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
430+
| `accessKeyId` | string | Yes | AWS access key ID |
431+
| `secretAccessKey` | string | Yes | AWS secret access key |
432+
| `configurationSetName` | string | Yes | Name of the configuration set \(letters, numbers, hyphens, underscores\) |
433+
| `customRedirectDomain` | string | No | Custom domain to use for open/click tracking links |
434+
| `httpsPolicy` | string | No | HTTPS policy for tracking links: REQUIRE, REQUIRE_OPEN_ONLY, or OPTIONAL |
435+
| `tlsPolicy` | string | No | Whether delivery requires TLS: REQUIRE or OPTIONAL |
436+
| `sendingPoolName` | string | No | Dedicated IP pool to associate with the configuration set |
437+
| `reputationMetricsEnabled` | boolean | No | Whether to collect reputation metrics for emails using this configuration set |
438+
| `sendingEnabled` | boolean | No | Whether sending is enabled for this configuration set |
439+
| `suppressedReasons` | string | No | Comma-separated reasons that trigger suppression: BOUNCE, COMPLAINT |
440+
| `tags` | json | No | JSON array of tags to associate with the configuration set: \[\{"key":"","value":""\}\] |
441+
442+
#### Output
443+
444+
| Parameter | Type | Description |
445+
| --------- | ---- | ----------- |
446+
| `message` | string | Confirmation message |
447+
448+
### `ses_send_custom_verification_email`
449+
450+
Send a branded custom verification email to an address using a custom verification email template
451+
452+
#### Input
453+
454+
| Parameter | Type | Required | Description |
455+
| --------- | ---- | -------- | ----------- |
456+
| `region` | string | Yes | AWS region \(e.g., us-east-1\) |
457+
| `accessKeyId` | string | Yes | AWS access key ID |
458+
| `secretAccessKey` | string | Yes | AWS secret access key |
459+
| `emailAddress` | string | Yes | The email address to verify |
460+
| `templateName` | string | Yes | The name of the custom verification email template to use |
461+
| `configurationSetName` | string | No | Configuration set to use when sending the verification email |
462+
463+
#### Output
464+
465+
| Parameter | Type | Description |
466+
| --------- | ---- | ----------- |
467+
| `messageId` | string | SES message ID for the sent verification email |
468+
241469

0 commit comments

Comments
 (0)