class DatabaseSecret (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.RDS.DatabaseSecret |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awsrds#DatabaseSecret |
 Java | software.amazon.awscdk.services.rds.DatabaseSecret |
 Python | aws_cdk.aws_rds.DatabaseSecret |
 TypeScript (source) | aws-cdk-lib » aws_rds » DatabaseSecret |
Implements
IConstruct, IDependable, IResource, ISecret
A database secret.
Example
// Create username and password secret for DB Cluster
const secret = new rds.DatabaseSecret(this, 'AuroraSecret', {
username: 'clusteradmin',
});
// The VPC to place the cluster in
const vpc = new ec2.Vpc(this, 'AuroraVpc');
// Create the serverless cluster, provide all values needed to customise the database.
const cluster = new rds.ServerlessCluster(this, 'AuroraCluster', {
engine: rds.DatabaseClusterEngine.AURORA_MYSQL,
vpc,
credentials: { username: 'clusteradmin' },
clusterIdentifier: 'db-endpoint-test',
defaultDatabaseName: 'demos',
});
// Build a data source for AppSync to access the database.
declare const api: appsync.GraphqlApi;
const rdsDS = api.addRdsDataSource('rds', cluster, secret, 'demos');
// Set up a resolver for an RDS query.
rdsDS.createResolver('QueryGetDemosRdsResolver', {
typeName: 'Query',
fieldName: 'getDemosRds',
requestMappingTemplate: appsync.MappingTemplate.fromString(`
{
"version": "2018-05-29",
"statements": [
"SELECT * FROM demos"
]
}
`),
responseMappingTemplate: appsync.MappingTemplate.fromString(`
$utils.toJson($utils.rds.toJsonObject($ctx.result)[0])
`),
});
// Set up a resolver for an RDS mutation.
rdsDS.createResolver('MutationAddDemoRdsResolver', {
typeName: 'Mutation',
fieldName: 'addDemoRds',
requestMappingTemplate: appsync.MappingTemplate.fromString(`
{
"version": "2018-05-29",
"statements": [
"INSERT INTO demos VALUES (:id, :version)",
"SELECT * WHERE id = :id"
],
"variableMap": {
":id": $util.toJson($util.autoId()),
":version": $util.toJson($ctx.args.version)
}
}
`),
responseMappingTemplate: appsync.MappingTemplate.fromString(`
$utils.toJson($utils.rds.toJsonObject($ctx.result)[1][0])
`),
});
Initializer
new DatabaseSecret(scope: Construct, id: string, props: DatabaseSecretProps)
Parameters
- scope
Construct - id
string - props
DatabaseSecret Props
Construct Props
| Name | Type | Description |
|---|---|---|
| username | string | The username. |
| dbname? | string | The database name, if not using the default one. |
| encryption | IKey | The KMS key to use to encrypt the secret. |
| exclude | string | Characters to not include in the generated password. |
| master | ISecret | The master secret which will be used to rotate this secret. |
| replace | boolean | Whether to replace this secret when the criteria for the password change. |
| replica | Replica[] | A list of regions where to replicate this secret. |
| secret | string | A name for the secret. |
username
Type:
string
The username.
dbname?
Type:
string
(optional, default: whatever the secret generates after the attach method is run)
The database name, if not using the default one.
encryptionKey?
Type:
IKey
(optional, default: default master key)
The KMS key to use to encrypt the secret.
excludeCharacters?
Type:
string
(optional, default: " %+~`#$&()|[]{}:;<>?!'/@"\")*
Characters to not include in the generated password.
masterSecret?
Type:
ISecret
(optional, default: no master secret information will be included)
The master secret which will be used to rotate this secret.
replaceOnPasswordCriteriaChanges?
Type:
boolean
(optional, default: false)
Whether to replace this secret when the criteria for the password change.
This is achieved by overriding the logical id of the AWS::SecretsManager::Secret with a hash of the options that influence the password generation. This way a new secret will be created when the password is regenerated and the cluster or instance consuming this secret will have its credentials updated.
replicaRegions?
Type:
Replica[]
(optional, default: Secret is not replicated)
A list of regions where to replicate this secret.
secretName?
Type:
string
(optional, default: A name is generated by CloudFormation.)
A name for the secret.
Properties
| Name | Type | Description |
|---|---|---|
| env | Resource | The environment this resource belongs to. |
| node | Node | The tree node. |
| secret | string | The ARN of the secret in AWS Secrets Manager. |
| secret | string | The name of the secret. |
| secret | Secret | Retrieve the value of the stored secret as a SecretValue. |
| stack | Stack | The stack in which this resource is defined. |
| encryption | IKey | The customer-managed encryption key that is used to encrypt this secret, if any. |
| exclude | string | The string of the characters that are excluded in this secret when it is generated. |
| secret | string | The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. |
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
node
Type:
Node
The tree node.
secretArn
Type:
string
The ARN of the secret in AWS Secrets Manager.
Will return the full ARN if available, otherwise a partial arn.
For secrets imported by the deprecated fromSecretName, it will return the secretName.
secretName
Type:
string
The name of the secret.
For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.
secretValue
Type:
Secret
Retrieve the value of the stored secret as a SecretValue.
stack
Type:
Stack
The stack in which this resource is defined.
encryptionKey?
Type:
IKey
(optional)
The customer-managed encryption key that is used to encrypt this secret, if any.
When not specified, the default KMS key for the account and region is being used.
excludeCharacters?
Type:
string
(optional)
The string of the characters that are excluded in this secret when it is generated.
secretFullArn?
Type:
string
(optional)
The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).
Methods
| Name | Description |
|---|---|
| add | Adds a replica region for the secret. |
| add | Adds a rotation schedule to the secret. |
| add | Adds a statement to the IAM resource policy associated with this secret. |
| apply | Apply the given removal policy to this resource. |
| attach(target) | Attach a target to this secret. |
| deny | Denies the DeleteSecret action to all principals within the current account. |
| grant | Grants reading the secret value to some role. |
| grant | Grants writing and updating the secret value to some role. |
| secret | Interpret the secret as a JSON object and return a field's value from it as a SecretValue. |
| to | Returns a string representation of this construct. |
addReplicaRegion(region, encryptionKey?)
public addReplicaRegion(region: string, encryptionKey?: IKey): void
Parameters
- region
string— The name of the region. - encryptionKey
IKey— The customer-managed encryption key to use for encrypting the secret value.
Adds a replica region for the secret.
addRotationSchedule(id, options)
public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule
Parameters
- id
string - options
RotationSchedule Options
Returns
Adds a rotation schedule to the secret.
addToResourcePolicy(statement)
public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult
Parameters
- statement
PolicyStatement
Returns
Adds a statement to the IAM resource policy associated with this secret.
If this secret was created in this stack, a resource policy will be
automatically created upon the first call to addToResourcePolicy. If
the secret is imported, then this is a no-op.
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
attach(target)
public attach(target: ISecretAttachmentTarget): ISecret
Parameters
- target
ISecret— The target to attach.Attachment Target
Returns
Attach a target to this secret.
denyAccountRootDelete()
public denyAccountRootDelete(): void
Denies the DeleteSecret action to all principals within the current account.
grantRead(grantee, versionStages?)
public grantRead(grantee: IGrantable, versionStages?: string[]): Grant
Parameters
- grantee
IGrantable - versionStages
string[]
Returns
Grants reading the secret value to some role.
grantWrite(grantee)
public grantWrite(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grants writing and updating the secret value to some role.
secretValueFromJson(jsonField)
public secretValueFromJson(jsonField: string): SecretValue
Parameters
- jsonField
string
Returns
Interpret the secret as a JSON object and return a field's value from it as a SecretValue.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.