SecretProps
- class aws_cdk.aws_secretsmanager.SecretProps(*, description=None, encryption_key=None, generate_secret_string=None, removal_policy=None, replica_regions=None, secret_name=None, secret_object_value=None, secret_string_beta1=None, secret_string_value=None)
Bases:
object
The properties required to create a new secret in AWS Secrets Manager.
- Parameters:
description (
Optional
[str
]) – An optional, human-friendly description of the secret. Default: - No description.encryption_key (
Optional
[IKey
]) – The customer-managed encryption key to use for encrypting the secret value. Default: - A default KMS key for the account and region is used.generate_secret_string (
Union
[SecretStringGenerator
,Dict
[str
,Any
],None
]) – Configuration for how to generate a secret value. Only one ofsecretString
andgenerateSecretString
can be provided. Default: - 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each category), per the default values ofSecretStringGenerator
.removal_policy (
Optional
[RemovalPolicy
]) – Policy to apply when the secret is removed from this stack. Default: - Not set.replica_regions (
Optional
[Sequence
[Union
[ReplicaRegion
,Dict
[str
,Any
]]]]) – A list of regions where to replicate this secret. Default: - Secret is not replicatedsecret_name (
Optional
[str
]) – A name for the secret. Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name. Default: - A name is generated by CloudFormation.secret_object_value (
Optional
[Mapping
[str
,SecretValue
]]) – Initial value for a JSON secret. NOTE: It is **highly* encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret object – if provided – will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI). Specifies a JSON object that you want to encrypt and store in this new version of the secret. To specify a simple string value instead, useSecretProps.secretStringValue
Only one ofsecretStringBeta1
,secretStringValue
, ‘secretObjectValue’, andgenerateSecretString
can be provided. Default: - SecretsManager generates a new secret value.secret_string_beta1 (
Optional
[SecretStringValueBeta1
]) – (deprecated) Initial value for the secret. NOTE: It is **highly* encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string – if provided – will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI). Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value, or a string representation of a JSON structure. Only one ofsecretStringBeta1
,secretStringValue
, andgenerateSecretString
can be provided. Default: - SecretsManager generates a new secret value.secret_string_value (
Optional
[SecretValue
]) – Initial value for the secret. NOTE: It is **highly* encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string – if provided – will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI). Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value. To provide a string representation of JSON structure, useSecretProps.secretObjectValue
instead. Only one ofsecretStringBeta1
,secretStringValue
, ‘secretObjectValue’, andgenerateSecretString
can be provided. Default: - SecretsManager generates a new secret value.
- ExampleMetadata:
infused
Example:
# stack: Stack user = iam.User(self, "User") access_key = iam.AccessKey(self, "AccessKey", user=user) secretsmanager.Secret(self, "Secret", secret_object_value={ "username": SecretValue.unsafe_plain_text(user.user_name), "database": SecretValue.unsafe_plain_text("foo"), "password": access_key.secret_access_key } )
Attributes
- description
An optional, human-friendly description of the secret.
- Default:
No description.
- encryption_key
The customer-managed encryption key to use for encrypting the secret value.
- Default:
A default KMS key for the account and region is used.
- generate_secret_string
Configuration for how to generate a secret value.
Only one of
secretString
andgenerateSecretString
can be provided.- Default:
32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each
category), per the default values of
SecretStringGenerator
.
- removal_policy
Policy to apply when the secret is removed from this stack.
- Default:
Not set.
- replica_regions
A list of regions where to replicate this secret.
- Default:
Secret is not replicated
- secret_name
A name for the secret.
Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.
- Default:
A name is generated by CloudFormation.
- secret_object_value
Initial value for a JSON secret.
NOTE: It is **highly* encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret object – if provided – will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Specifies a JSON object that you want to encrypt and store in this new version of the secret. To specify a simple string value instead, use
SecretProps.secretStringValue
Only one of
secretStringBeta1
,secretStringValue
, ‘secretObjectValue’, andgenerateSecretString
can be provided.- Default:
SecretsManager generates a new secret value.
Example:
# user: iam.User # access_key: iam.AccessKey # stack: Stack secretsmanager.Secret(stack, "JSONSecret", secret_object_value={ "username": SecretValue.unsafe_plain_text(user.user_name), # intrinsic reference, not exposed as plaintext "database": SecretValue.unsafe_plain_text("foo"), # rendered as plain text, but not a secret "password": access_key.secret_access_key } )
- secret_string_beta1
(deprecated) Initial value for the secret.
NOTE: It is **highly* encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string – if provided – will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value, or a string representation of a JSON structure.
Only one of
secretStringBeta1
,secretStringValue
, andgenerateSecretString
can be provided.- Default:
SecretsManager generates a new secret value.
- Deprecated:
Use
secretStringValue
instead.- Stability:
deprecated
- secret_string_value
Initial value for the secret.
NOTE: It is **highly* encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string – if provided – will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value. To provide a string representation of JSON structure, use
SecretProps.secretObjectValue
instead.Only one of
secretStringBeta1
,secretStringValue
, ‘secretObjectValue’, andgenerateSecretString
can be provided.- Default:
SecretsManager generates a new secret value.