Package software.amazon.awscdk.services.secretsmanager

@Stability(Stable) @Deprecated package software.amazon.awscdk.services.secretsmanager

Deprecated.

AWS Secrets Manager Construct Library

---

AWS CDK v1 has reached End-of-Support on 2023-06-01. This package is no longer being updated, and users should migrate to AWS CDK v2.

For more information on how to migrate, see the Migrating to AWS CDK v2 guide.

 import software.amazon.awscdk.services.secretsmanager.*;
 

Create a new Secret in a Stack

In order to have SecretsManager generate a new secret value automatically, you can get started with the following:

 // Default secret
 Secret secret = new Secret(this, "Secret");
 // Using the default secret
 // Using the default secret
 User.Builder.create(this, "User")
         .password(secret.getSecretValue())
         .build();
 // Templated secret
 Secret templatedSecret = Secret.Builder.create(this, "TemplatedSecret")
         .generateSecretString(SecretStringGenerator.builder()
                 .secretStringTemplate(JSON.stringify(Map.of("username", "user")))
                 .generateStringKey("password")
                 .build())
         .build();
 // Using the templated secret
 // Using the templated secret
 User.Builder.create(this, "OtherUser")
         .userName(templatedSecret.secretValueFromJson("username").toString())
         .password(templatedSecret.secretValueFromJson("password"))
         .build();
 

If you need to use a pre-existing secret, the recommended way is to manually provision the secret in AWS SecretsManager and use the Secret.fromSecretArn or Secret.fromSecretAttributes method to make it available in your CDK Application:

 Key encryptionKey;
 
 ISecret secret = Secret.fromSecretAttributes(this, "ImportedSecret", SecretAttributes.builder()
         .secretArn("arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>")
         // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
         .encryptionKey(encryptionKey)
         .build());
 

SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.

A secret can set RemovalPolicy. If it set to RETAIN, that removing a secret will fail.

Grant permission to use the secret to a role

You must grant permission to a resource for that resource to be allowed to use a secret. This can be achieved with the Secret.grantRead and/or Secret.grantWrite method, depending on your need:

 Role role = Role.Builder.create(this, "SomeRole").assumedBy(new AccountRootPrincipal()).build();
 Secret secret = new Secret(this, "Secret");
 secret.grantRead(role);
 secret.grantWrite(role);
 

If, as in the following example, your secret was created with a KMS key:

 Role role;
 
 Key key = new Key(this, "KMS");
 Secret secret = Secret.Builder.create(this, "Secret").encryptionKey(key).build();
 secret.grantRead(role);
 secret.grantWrite(role);
 

then Secret.grantRead and Secret.grantWrite will also grant the role the relevant encrypt and decrypt permissions to the KMS key through the SecretsManager service principal.

The principal is automatically added to Secret resource policy and KMS Key policy for cross account access:

 AccountPrincipal otherAccount = new AccountPrincipal("1234");
 Key key = new Key(this, "KMS");
 Secret secret = Secret.Builder.create(this, "Secret").encryptionKey(key).build();
 secret.grantRead(otherAccount);
 

Rotating a Secret

Using a Custom Lambda Function

A rotation schedule can be added to a Secret using a custom Lambda function:

 import software.amazon.awscdk.services.lambda.*;
 
 Function fn;
 
 Secret secret = new Secret(this, "Secret");
 
 secret.addRotationSchedule("RotationSchedule", RotationScheduleOptions.builder()
         .rotationLambda(fn)
         .automaticallyAfter(Duration.days(15))
         .build());
 

Note: The required permissions for Lambda to call SecretsManager and the other way round are automatically granted based on AWS Documentation as long as the Lambda is not imported.

See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.

Using a Hosted Lambda Function

Use the hostedRotation prop to rotate a secret with a hosted Lambda function:

 Secret secret = new Secret(this, "Secret");
 
 secret.addRotationSchedule("RotationSchedule", RotationScheduleOptions.builder()
         .hostedRotation(HostedRotation.mysqlSingleUser())
         .build());
 

Hosted rotation is available for secrets representing credentials for MySQL, PostgreSQL, Oracle, MariaDB, SQLServer, Redshift and MongoDB (both for the single and multi user schemes).

When deployed in a VPC, the hosted rotation implements ec2.IConnectable:

 Vpc myVpc;
 Connections dbConnections;
 Secret secret;
 
 
 HostedRotation myHostedRotation = HostedRotation.mysqlSingleUser(SingleUserHostedRotationOptions.builder().vpc(myVpc).build());
 secret.addRotationSchedule("RotationSchedule", RotationScheduleOptions.builder().hostedRotation(myHostedRotation).build());
 dbConnections.allowDefaultPortFrom(myHostedRotation);
 

See also Automating secret creation in AWS CloudFormation.

Rotating database credentials

Define a SecretRotation to rotate database credentials:

 Secret mySecret;
 IConnectable myDatabase;
 Vpc myVpc;
 
 
 SecretRotation.Builder.create(this, "SecretRotation")
         .application(SecretRotationApplication.MYSQL_ROTATION_SINGLE_USER) // MySQL single user scheme
         .secret(mySecret)
         .target(myDatabase) // a Connectable
         .vpc(myVpc) // The VPC where the secret rotation application will be deployed
         .excludeCharacters(" %+:;{}")
         .build();
 

The secret must be a JSON string with the following format:

 {
   "engine": "<required: database engine>",
   "host": "<required: instance host name>",
   "username": "<required: username>",
   "password": "<required: password>",
   "dbname": "<optional: database name>",
   "port": "<optional: if not specified, default port will be used>",
   "masterarn": "<required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>"
 }
 

For the multi user scheme, a masterSecret must be specified:

 Secret myUserSecret;
 Secret myMasterSecret;
 IConnectable myDatabase;
 Vpc myVpc;
 
 
 SecretRotation.Builder.create(this, "SecretRotation")
         .application(SecretRotationApplication.MYSQL_ROTATION_MULTI_USER)
         .secret(myUserSecret) // The secret that will be rotated
         .masterSecret(myMasterSecret) // The secret used for the rotation
         .target(myDatabase)
         .vpc(myVpc)
         .build();
 

See also aws-rds where credentials generation and rotation is integrated.

Importing Secrets

Existing secrets can be imported by ARN, name, and other attributes (including the KMS key used to encrypt the secret). Secrets imported by name should use the short-form of the name (without the SecretsManager-provided suffx); the secret name must exist in the same account and region as the stack. Importing by name makes it easier to reference secrets created in different regions, each with their own suffix and ARN.

 String secretCompleteArn = "arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret-f3gDy9";
 String secretPartialArn = "arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret"; // No Secrets Manager suffix
 IKey encryptionKey = Key.fromKeyArn(this, "MyEncKey", "arn:aws:kms:eu-west-1:111111111111:key/21c4b39b-fde2-4273-9ac0-d9bb5c0d0030");
 ISecret mySecretFromCompleteArn = Secret.fromSecretCompleteArn(this, "SecretFromCompleteArn", secretCompleteArn);
 ISecret mySecretFromPartialArn = Secret.fromSecretPartialArn(this, "SecretFromPartialArn", secretPartialArn);
 ISecret mySecretFromName = Secret.fromSecretNameV2(this, "SecretFromName", "MySecret");
 ISecret mySecretFromAttrs = Secret.fromSecretAttributes(this, "SecretFromAttributes", SecretAttributes.builder()
         .secretCompleteArn(secretCompleteArn)
         .encryptionKey(encryptionKey)
         .build());
 

Replicating secrets

Secrets can be replicated to multiple regions by specifying replicaRegions:

 Key myKey;
 
 Secret.Builder.create(this, "Secret")
         .replicaRegions(List.of(ReplicaRegion.builder()
                 .region("eu-west-1")
                 .build(), ReplicaRegion.builder()
                 .region("eu-central-1")
                 .encryptionKey(myKey)
                 .build()))
         .build();
 

Alternatively, use addReplicaRegion():

 Secret secret = new Secret(this, "Secret");
 secret.addReplicaRegion("eu-west-1");
 

Deprecated: AWS CDK v1 has reached End-of-Support on 2023-06-01. This package is no longer being updated, and users should migrate to AWS CDK v2. For more information on how to migrate, see https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html

Class	Description
$Module
AttachedSecretOptions	Options to add a secret attachment to a secret.
AttachedSecretOptions.Builder	A builder for AttachedSecretOptions
AttachedSecretOptions.Jsii$Proxy	An implementation for AttachedSecretOptions
AttachmentTargetType	The type of service or database that's being associated with the secret.
CfnResourcePolicy	A CloudFormation AWS::SecretsManager::ResourcePolicy.
CfnResourcePolicy.Builder	A fluent builder for CfnResourcePolicy.
CfnResourcePolicyProps	Properties for defining a CfnResourcePolicy.
CfnResourcePolicyProps.Builder	A builder for CfnResourcePolicyProps
CfnResourcePolicyProps.Jsii$Proxy	An implementation for CfnResourcePolicyProps
CfnRotationSchedule	A CloudFormation AWS::SecretsManager::RotationSchedule.
CfnRotationSchedule.Builder	A fluent builder for CfnRotationSchedule.
CfnRotationSchedule.HostedRotationLambdaProperty	Creates a new Lambda rotation function based on one of the Secrets Manager rotation function templates .
CfnRotationSchedule.HostedRotationLambdaProperty.Builder	A builder for CfnRotationSchedule.HostedRotationLambdaProperty
CfnRotationSchedule.HostedRotationLambdaProperty.Jsii$Proxy	An implementation for CfnRotationSchedule.HostedRotationLambdaProperty
CfnRotationSchedule.RotationRulesProperty	The rotation schedule and window.
CfnRotationSchedule.RotationRulesProperty.Builder	A builder for CfnRotationSchedule.RotationRulesProperty
CfnRotationSchedule.RotationRulesProperty.Jsii$Proxy	An implementation for CfnRotationSchedule.RotationRulesProperty
CfnRotationScheduleProps	Properties for defining a CfnRotationSchedule.
CfnRotationScheduleProps.Builder	A builder for CfnRotationScheduleProps
CfnRotationScheduleProps.Jsii$Proxy	An implementation for CfnRotationScheduleProps
CfnSecret	A CloudFormation AWS::SecretsManager::Secret.
CfnSecret.Builder	A fluent builder for CfnSecret.
CfnSecret.GenerateSecretStringProperty	Generates a random password.
CfnSecret.GenerateSecretStringProperty.Builder	A builder for CfnSecret.GenerateSecretStringProperty
CfnSecret.GenerateSecretStringProperty.Jsii$Proxy	An implementation for CfnSecret.GenerateSecretStringProperty
CfnSecret.ReplicaRegionProperty	Specifies a Region and the KmsKeyId for a replica secret.
CfnSecret.ReplicaRegionProperty.Builder	A builder for CfnSecret.ReplicaRegionProperty
CfnSecret.ReplicaRegionProperty.Jsii$Proxy	An implementation for CfnSecret.ReplicaRegionProperty
CfnSecretProps	Properties for defining a CfnSecret.
CfnSecretProps.Builder	A builder for CfnSecretProps
CfnSecretProps.Jsii$Proxy	An implementation for CfnSecretProps
CfnSecretTargetAttachment	A CloudFormation AWS::SecretsManager::SecretTargetAttachment.
CfnSecretTargetAttachment.Builder	A fluent builder for CfnSecretTargetAttachment.
CfnSecretTargetAttachmentProps	Properties for defining a CfnSecretTargetAttachment.
CfnSecretTargetAttachmentProps.Builder	A builder for CfnSecretTargetAttachmentProps
CfnSecretTargetAttachmentProps.Jsii$Proxy	An implementation for CfnSecretTargetAttachmentProps
HostedRotation	A hosted rotation.
HostedRotationType	Hosted rotation type.
ISecret	A secret in AWS Secrets Manager.
ISecret.Jsii$Default	Internal default implementation for ISecret.
ISecret.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ISecretAttachmentTarget	A secret attachment target.
ISecretAttachmentTarget.Jsii$Default	Internal default implementation for ISecretAttachmentTarget.
ISecretAttachmentTarget.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
ISecretTargetAttachment
ISecretTargetAttachment.Jsii$Default	Internal default implementation for ISecretTargetAttachment.
ISecretTargetAttachment.Jsii$Proxy	A proxy class which represents a concrete javascript instance of this type.
MultiUserHostedRotationOptions	Multi user hosted rotation options.
MultiUserHostedRotationOptions.Builder	A builder for MultiUserHostedRotationOptions
MultiUserHostedRotationOptions.Jsii$Proxy	An implementation for MultiUserHostedRotationOptions
ReplicaRegion	Secret replica region.
ReplicaRegion.Builder	A builder for ReplicaRegion
ReplicaRegion.Jsii$Proxy	An implementation for ReplicaRegion
ResourcePolicy	Resource Policy for SecretsManager Secrets.
ResourcePolicy.Builder	A fluent builder for ResourcePolicy.
ResourcePolicyProps	Construction properties for a ResourcePolicy.
ResourcePolicyProps.Builder	A builder for ResourcePolicyProps
ResourcePolicyProps.Jsii$Proxy	An implementation for ResourcePolicyProps
RotationSchedule	A rotation schedule.
RotationSchedule.Builder	A fluent builder for RotationSchedule.
RotationScheduleOptions	Options to add a rotation schedule to a secret.
RotationScheduleOptions.Builder	A builder for RotationScheduleOptions
RotationScheduleOptions.Jsii$Proxy	An implementation for RotationScheduleOptions
RotationScheduleProps	Construction properties for a RotationSchedule.
RotationScheduleProps.Builder	A builder for RotationScheduleProps
RotationScheduleProps.Jsii$Proxy	An implementation for RotationScheduleProps
Secret	Creates a new secret in AWS SecretsManager.
Secret.Builder	A fluent builder for Secret.
SecretAttachmentTargetProps	Attachment target specifications.
SecretAttachmentTargetProps.Builder	A builder for SecretAttachmentTargetProps
SecretAttachmentTargetProps.Jsii$Proxy	An implementation for SecretAttachmentTargetProps
SecretAttributes	Attributes required to import an existing secret into the Stack.
SecretAttributes.Builder	A builder for SecretAttributes
SecretAttributes.Jsii$Proxy	An implementation for SecretAttributes
SecretProps	The properties required to create a new secret in AWS Secrets Manager.
SecretProps.Builder	A builder for SecretProps
SecretProps.Jsii$Proxy	An implementation for SecretProps
SecretRotation	Secret rotation for a service or database.
SecretRotation.Builder	A fluent builder for SecretRotation.
SecretRotationApplication	A secret rotation serverless application.
SecretRotationApplication.Builder	A fluent builder for SecretRotationApplication.
SecretRotationApplicationOptions	Options for a SecretRotationApplication.
SecretRotationApplicationOptions.Builder	A builder for SecretRotationApplicationOptions
SecretRotationApplicationOptions.Jsii$Proxy	An implementation for SecretRotationApplicationOptions
SecretRotationProps	Construction properties for a SecretRotation.
SecretRotationProps.Builder	A builder for SecretRotationProps
SecretRotationProps.Jsii$Proxy	An implementation for SecretRotationProps
SecretStringGenerator	Configuration to generate secrets such as passwords automatically.
SecretStringGenerator.Builder	A builder for SecretStringGenerator
SecretStringGenerator.Jsii$Proxy	An implementation for SecretStringGenerator
SecretStringValueBeta1	Deprecated. Use cdk.SecretValue instead.
SecretTargetAttachment	An attached secret.
SecretTargetAttachment.Builder	A fluent builder for SecretTargetAttachment.
SecretTargetAttachmentProps	Construction properties for an AttachedSecret.
SecretTargetAttachmentProps.Builder	A builder for SecretTargetAttachmentProps
SecretTargetAttachmentProps.Jsii$Proxy	An implementation for SecretTargetAttachmentProps
SingleUserHostedRotationOptions	Single user hosted rotation options.
SingleUserHostedRotationOptions.Builder	A builder for SingleUserHostedRotationOptions
SingleUserHostedRotationOptions.Jsii$Proxy	An implementation for SingleUserHostedRotationOptions