class Secret (construct)
Language | Type name |
---|---|
.NET | Amazon.CDK.AWS.SecretsManager.Secret |
Go | github.com/aws/aws-cdk-go/awscdk/v2/awssecretsmanager#Secret |
Java | software.amazon.awscdk.services.secretsmanager.Secret |
Python | aws_cdk.aws_secretsmanager.Secret |
TypeScript (source) | aws-cdk-lib » aws_secretsmanager » Secret |
Implements
IConstruct
, IDependable
, IResource
, ISecret
Creates a new secret in AWS SecretsManager.
Example
const user = new iam.User(this, 'User');
const accessKey = new iam.AccessKey(this, 'AccessKey', { user });
declare const stack: Stack;
new secretsmanager.Secret(this, 'Secret', {
secretObjectValue: {
username: SecretValue.unsafePlainText(user.userName),
database: SecretValue.unsafePlainText('foo'),
password: accessKey.secretAccessKey,
},
})
Initializer
new Secret(scope: Construct, id: string, props?: SecretProps)
Parameters
- scope
Construct
- id
string
- props
Secret
Props
Construct Props
Name | Type | Description |
---|---|---|
description? | string | An optional, human-friendly description of the secret. |
encryption | IKey | The customer-managed encryption key to use for encrypting the secret value. |
generate | Secret | Configuration for how to generate a secret value. |
removal | Removal | Policy to apply when the secret is removed from this stack. |
replica | Replica [] | A list of regions where to replicate this secret. |
secret | string | A name for the secret. |
secret | { [string]: Secret } | Initial value for a JSON secret. |
secret | Secret | Initial value for the secret. |
secret | Secret | Initial value for the secret. |
description?
Type:
string
(optional, default: No description.)
An optional, human-friendly description of the secret.
encryptionKey?
Type:
IKey
(optional, default: A default KMS key for the account and region is used.)
The customer-managed encryption key to use for encrypting the secret value.
generateSecretString?
Type:
Secret
(optional, default: 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each
category), per the default values of SecretStringGenerator
.)
Configuration for how to generate a secret value.
Only one of secretString
and generateSecretString
can be provided.
removalPolicy?
Type:
Removal
(optional, default: Not set.)
Policy to apply when the secret is removed from this stack.
replicaRegions?
Type:
Replica
[]
(optional, default: Secret is not replicated)
A list of regions where to replicate this secret.
secretName?
Type:
string
(optional, default: A name is generated by CloudFormation.)
A name for the secret.
Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.
secretObjectValue?
Type:
{ [string]:
Secret
}
(optional, default: SecretsManager generates a new secret value.)
Initial value for a JSON secret.
NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret object -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Specifies a JSON object that you want to encrypt and store in this new version of the secret.
To specify a simple string value instead, use SecretProps.secretStringValue
Only one of secretStringBeta1
, secretStringValue
, 'secretObjectValue', and generateSecretString
can be provided.
Example
declare const user: iam.User;
declare const accessKey: iam.AccessKey;
declare const stack: Stack;
new secretsmanager.Secret(stack, 'JSONSecret', {
secretObjectValue: {
username: SecretValue.unsafePlainText(user.userName), // intrinsic reference, not exposed as plaintext
database: SecretValue.unsafePlainText('foo'), // rendered as plain text, but not a secret
password: accessKey.secretAccessKey, // SecretValue
},
});
secretStringBeta1?
⚠️ Deprecated: Use secretStringValue
instead.
Type:
Secret
(optional, default: SecretsManager generates a new secret value.)
Initial value for the secret.
NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value, or a string representation of a JSON structure.
Only one of secretStringBeta1
, secretStringValue
, and generateSecretString
can be provided.
secretStringValue?
Type:
Secret
(optional, default: SecretsManager generates a new secret value.)
Initial value for the secret.
NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Specifies text data that you want to encrypt and store in this new version of the secret.
May be a simple string value. To provide a string representation of JSON structure, use SecretProps.secretObjectValue
instead.
Only one of secretStringBeta1
, secretStringValue
, 'secretObjectValue', and generateSecretString
can be provided.
Properties
Name | Type | Description |
---|---|---|
arn | string | Provides an identifier for this secret for use in IAM policies. |
auto | boolean | |
env | Resource | The environment this resource belongs to. |
node | Node | The tree node. |
secret | string | The ARN of the secret in AWS Secrets Manager. |
secret | string | The name of the secret. |
secret | Secret | Retrieve the value of the stored secret as a SecretValue . |
stack | Stack | The stack in which this resource is defined. |
encryption | IKey | The customer-managed encryption key that is used to encrypt this secret, if any. |
exclude | string | The string of the characters that are excluded in this secret when it is generated. |
secret | string | The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. |
arnForPolicies
Type:
string
Provides an identifier for this secret for use in IAM policies.
If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.
autoCreatePolicy
Type:
boolean
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
node
Type:
Node
The tree node.
secretArn
Type:
string
The ARN of the secret in AWS Secrets Manager.
Will return the full ARN if available, otherwise a partial arn.
For secrets imported by the deprecated fromSecretName
, it will return the secretName
.
secretName
Type:
string
The name of the secret.
For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.
secretValue
Type:
Secret
Retrieve the value of the stored secret as a SecretValue
.
stack
Type:
Stack
The stack in which this resource is defined.
encryptionKey?
Type:
IKey
(optional)
The customer-managed encryption key that is used to encrypt this secret, if any.
When not specified, the default KMS key for the account and region is being used.
excludeCharacters?
Type:
string
(optional)
The string of the characters that are excluded in this secret when it is generated.
secretFullArn?
Type:
string
(optional)
The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
This is equal to secretArn
in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).
Methods
Name | Description |
---|---|
add | Adds a replica region for the secret. |
add | Adds a rotation schedule to the secret. |
add | Adds a statement to the IAM resource policy associated with this secret. |
apply | Apply the given removal policy to this resource. |
attach(target) | Attach a target to this secret. |
deny | Denies the DeleteSecret action to all principals within the current account. |
grant | Grants reading the secret value to some role. |
grant | Grants writing and updating the secret value to some role. |
secret | Interpret the secret as a JSON object and return a field's value from it as a SecretValue . |
to | Returns a string representation of this construct. |
static from | Import an existing secret into the Stack. |
static from | Imports a secret by complete ARN. |
static from | Imports a secret by secret name. |
static from | Imports a secret by partial ARN. |
static is | Return whether the given object is a Secret. |
addReplicaRegion(region, encryptionKey?)
public addReplicaRegion(region: string, encryptionKey?: IKey): void
Parameters
- region
string
— The name of the region. - encryptionKey
IKey
— The customer-managed encryption key to use for encrypting the secret value.
Adds a replica region for the secret.
addRotationSchedule(id, options)
public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule
Parameters
- id
string
- options
Rotation
Schedule Options
Returns
Adds a rotation schedule to the secret.
addToResourcePolicy(statement)
public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult
Parameters
- statement
Policy
Statement
Returns
Adds a statement to the IAM resource policy associated with this secret.
If this secret was created in this stack, a resource policy will be
automatically created upon the first call to addToResourcePolicy
. If
the secret is imported, then this is a no-op.
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
Removal
Policy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY
), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN
).
attach(target)
public attach(target: ISecretAttachmentTarget): ISecret
Parameters
- target
ISecret
— The target to attach.Attachment Target
Returns
Attach a target to this secret.
denyAccountRootDelete()
public denyAccountRootDelete(): void
Denies the DeleteSecret
action to all principals within the current account.
grantRead(grantee, versionStages?)
public grantRead(grantee: IGrantable, versionStages?: string[]): Grant
Parameters
- grantee
IGrantable
- versionStages
string[]
Returns
Grants reading the secret value to some role.
grantWrite(grantee)
public grantWrite(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grants writing and updating the secret value to some role.
secretValueFromJson(jsonField)
public secretValueFromJson(jsonField: string): SecretValue
Parameters
- jsonField
string
Returns
Interpret the secret as a JSON object and return a field's value from it as a SecretValue
.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
static fromSecretAttributes(scope, id, attrs)
public static fromSecretAttributes(scope: Construct, id: string, attrs: SecretAttributes): ISecret
Parameters
- scope
Construct
— the scope of the import. - id
string
— the ID of the imported Secret in the construct tree. - attrs
Secret
— the attributes of the imported secret.Attributes
Returns
Import an existing secret into the Stack.
static fromSecretCompleteArn(scope, id, secretCompleteArn)
public static fromSecretCompleteArn(scope: Construct, id: string, secretCompleteArn: string): ISecret
Parameters
- scope
Construct
- id
string
- secretCompleteArn
string
Returns
Imports a secret by complete ARN.
The complete ARN is the ARN with the Secrets Manager-supplied suffix.
static fromSecretNameV2(scope, id, secretName)
public static fromSecretNameV2(scope: Construct, id: string, secretName: string): ISecret
Parameters
- scope
Construct
- id
string
- secretName
string
Returns
Imports a secret by secret name.
A secret with this name must exist in the same account & region.
Replaces the deprecated fromSecretName
.
Please note this method returns ISecret that only contains partial ARN and could lead to AccessDeniedException
when you pass the partial ARN to CLI or SDK to get the secret value. If your secret name ends with a hyphen and
6 characters, you should always use fromSecretCompleteArn() to avoid potential AccessDeniedException.
static fromSecretPartialArn(scope, id, secretPartialArn)
public static fromSecretPartialArn(scope: Construct, id: string, secretPartialArn: string): ISecret
Parameters
- scope
Construct
- id
string
- secretPartialArn
string
Returns
Imports a secret by partial ARN.
The partial ARN is the ARN without the Secrets Manager-supplied suffix.
static isSecret(x)
public static isSecret(x: any): boolean
Parameters
- x
any
Returns
boolean
Return whether the given object is a Secret.