From e4f1bcee8531e40eed1552c72799a2dbbd5295ad Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Sun, 31 May 2026 14:45:54 -0400
Subject: [PATCH] chore: advertise required_secrets[] for wfctl secrets setup

---
 plugin.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/plugin.json b/plugin.json
index b31ea0b..bd3dc13 100644
--- a/plugin.json
+++ b/plugin.json
@@ -7,6 +7,20 @@
   "type": "external",
   "tier": "community",
   "minEngineVersion": "0.64.3",
+  "required_secrets": [
+    {
+      "name": "AWS_ACCESS_KEY_ID",
+      "sensitive": true,
+      "description": "AWS access key ID. For credentials.type: env or static; profile/role_arn deployments may skip. Referenced as ${AWS_ACCESS_KEY_ID} in the iac.provider/aws config.",
+      "prompt": "AWS access key ID"
+    },
+    {
+      "name": "AWS_SECRET_ACCESS_KEY",
+      "sensitive": true,
+      "description": "AWS secret access key (pairs with AWS_ACCESS_KEY_ID). Referenced as ${AWS_SECRET_ACCESS_KEY}.",
+      "prompt": "AWS secret access key"
+    }
+  ],
   "iacServices": [
     "workflow.plugin.external.iac.IaCProviderRequired",
     "workflow.plugin.external.iac.IaCProviderEnumerator",