DatabaseSecretProps

class aws_cdk.aws_rds.DatabaseSecretProps(*, username, encryption_key=None, exclude_characters=None, master_secret=None, replace_on_password_criteria_changes=None, replica_regions=None, secret_name=None)

Bases: object

Construction properties for a DatabaseSecret.

Parameters:

  • username (str) – The username.

  • encryption_key (Optional[IKey]) – The KMS key to use to encrypt the secret. Default: default master key

  • exclude_characters (Optional[str]) – Characters to not include in the generated password. Default: “ %+~`#$&*()|[]{}:;<>?!’/

  • master_secret (Optional[ISecret]) – The master secret which will be used to rotate this secret. Default: - no master secret information will be included

  • replace_on_password_criteria_changes (Optional[bool]) – Whether to replace this secret when the criteria for the password change. This is achieved by overriding the logical id of the AWS::SecretsManager::Secret with a hash of the options that influence the password generation. This way a new secret will be created when the password is regenerated and the cluster or instance consuming this secret will have its credentials updated. Default: false

  • replica_regions (Optional[Sequence[Union[ReplicaRegion, Dict[str, Any]]]]) – A list of regions where to replicate this secret. Default: - Secret is not replicated

  • secret_name (Optional[str]) – A name for the secret. Default: - A name is generated by CloudFormation.

ExampleMetadata:

infused

Example:

# instance: rds.DatabaseInstance

my_user_secret = rds.DatabaseSecret(self, "MyUserSecret",
    username="myuser",
    secret_name="my-user-secret",  # optional, defaults to a CloudFormation-generated name
    master_secret=instance.secret,
    exclude_characters="{}[]()'"/\"
)
my_user_secret_attached = my_user_secret.attach(instance) # Adds DB connections information in the secret

instance.add_rotation_multi_user("MyUser",  # Add rotation using the multi user scheme
    secret=my_user_secret_attached)

Attributes

encryption_key

The KMS key to use to encrypt the secret.

Default:

default master key

exclude_characters

Characters to not include in the generated password.

Default:

“ %+~`#$&*()|[]{}:;<>?!’/

:: “"

master_secret

The master secret which will be used to rotate this secret.

Default:

  • no master secret information will be included

replace_on_password_criteria_changes

Whether to replace this secret when the criteria for the password change.

This is achieved by overriding the logical id of the AWS::SecretsManager::Secret with a hash of the options that influence the password generation. This way a new secret will be created when the password is regenerated and the cluster or instance consuming this secret will have its credentials updated.

Default:

false

replica_regions

A list of regions where to replicate this secret.

Default:

  • Secret is not replicated

secret_name

A name for the secret.

Default:

  • A name is generated by CloudFormation.

username

The username.