aws-cdk-lib.aws_secretsmanager.Secret

class Secret (construct)

LanguageType name
.NETAmazon.CDK.AWS.SecretsManager.Secret
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awssecretsmanager#Secret
Javasoftware.amazon.awscdk.services.secretsmanager.Secret
Pythonaws_cdk.aws_secretsmanager.Secret
TypeScript (source)aws-cdk-lib » aws_secretsmanager » Secret

Implements IConstruct, IDependable, IResource, ISecret

Creates a new secret in AWS SecretsManager.

Example

const user = new iam.User(this, 'User');
const accessKey = new iam.AccessKey(this, 'AccessKey', { user });
declare const stack: Stack;

new secretsmanager.Secret(this, 'Secret', {
  secretObjectValue: {
    username: SecretValue.unsafePlainText(user.userName),
    database: SecretValue.unsafePlainText('foo'),
    password: accessKey.secretAccessKey,
  },
})

Initializer

new Secret(scope: Construct, id: string, props?: SecretProps)

Parameters

  • scope Construct
  • id string
  • props SecretProps

Construct Props

NameTypeDescription
description?stringAn optional, human-friendly description of the secret.
encryptionKey?IKeyThe customer-managed encryption key to use for encrypting the secret value.
generateSecretString?SecretStringGeneratorConfiguration for how to generate a secret value.
removalPolicy?RemovalPolicyPolicy to apply when the secret is removed from this stack.
replicaRegions?ReplicaRegion[]A list of regions where to replicate this secret.
secretName?stringA name for the secret.
secretObjectValue?{ [string]: SecretValue }Initial value for a JSON secret.
secretStringBeta1?⚠️SecretStringValueBeta1Initial value for the secret.
secretStringValue?SecretValueInitial value for the secret.

description?

Type: string (optional, default: No description.)

An optional, human-friendly description of the secret.


encryptionKey?

Type: IKey (optional, default: A default KMS key for the account and region is used.)

The customer-managed encryption key to use for encrypting the secret value.


generateSecretString?

Type: SecretStringGenerator (optional, default: 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each category), per the default values of SecretStringGenerator.)

Configuration for how to generate a secret value.

Only one of secretString and generateSecretString can be provided.


removalPolicy?

Type: RemovalPolicy (optional, default: Not set.)

Policy to apply when the secret is removed from this stack.


replicaRegions?

Type: ReplicaRegion[] (optional, default: Secret is not replicated)

A list of regions where to replicate this secret.


secretName?

Type: string (optional, default: A name is generated by CloudFormation.)

A name for the secret.

Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.


secretObjectValue?

Type: { [string]: SecretValue } (optional, default: SecretsManager generates a new secret value.)

Initial value for a JSON secret.

NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret object -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).

Specifies a JSON object that you want to encrypt and store in this new version of the secret. To specify a simple string value instead, use SecretProps.secretStringValue

Only one of secretStringBeta1, secretStringValue, 'secretObjectValue', and generateSecretString can be provided. Example

declare const user: iam.User;
declare const accessKey: iam.AccessKey;
declare const stack: Stack;
new secretsmanager.Secret(stack, 'JSONSecret', {
  secretObjectValue: {
    username: SecretValue.unsafePlainText(user.userName), // intrinsic reference, not exposed as plaintext
    database: SecretValue.unsafePlainText('foo'), // rendered as plain text, but not a secret
    password: accessKey.secretAccessKey, // SecretValue
  },
});

secretStringBeta1?⚠️

⚠️ Deprecated: Use secretStringValue instead.

Type: SecretStringValueBeta1 (optional, default: SecretsManager generates a new secret value.)

Initial value for the secret.

NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).

Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value, or a string representation of a JSON structure.

Only one of secretStringBeta1, secretStringValue, and generateSecretString can be provided.


secretStringValue?

Type: SecretValue (optional, default: SecretsManager generates a new secret value.)

Initial value for the secret.

NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).

Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value. To provide a string representation of JSON structure, use SecretProps.secretObjectValue instead.

Only one of secretStringBeta1, secretStringValue, 'secretObjectValue', and generateSecretString can be provided.

Properties

NameTypeDescription
arnForPoliciesstringProvides an identifier for this secret for use in IAM policies.
autoCreatePolicyboolean
envResourceEnvironmentThe environment this resource belongs to.
nodeNodeThe tree node.
secretArnstringThe ARN of the secret in AWS Secrets Manager.
secretNamestringThe name of the secret.
secretValueSecretValueRetrieve the value of the stored secret as a SecretValue.
stackStackThe stack in which this resource is defined.
encryptionKey?IKeyThe customer-managed encryption key that is used to encrypt this secret, if any.
excludeCharacters?stringThe string of the characters that are excluded in this secret when it is generated.
secretFullArn?stringThe full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

arnForPolicies

Type: string

Provides an identifier for this secret for use in IAM policies.

If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.


autoCreatePolicy

Type: boolean


env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


node

Type: Node

The tree node.


secretArn

Type: string

The ARN of the secret in AWS Secrets Manager.

Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.


secretName

Type: string

The name of the secret.

For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.


secretValue

Type: SecretValue

Retrieve the value of the stored secret as a SecretValue.


stack

Type: Stack

The stack in which this resource is defined.


encryptionKey?

Type: IKey (optional)

The customer-managed encryption key that is used to encrypt this secret, if any.

When not specified, the default KMS key for the account and region is being used.


excludeCharacters?

Type: string (optional)

The string of the characters that are excluded in this secret when it is generated.


secretFullArn?

Type: string (optional)

The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

Methods

NameDescription
addReplicaRegion(region, encryptionKey?)Adds a replica region for the secret.
addRotationSchedule(id, options)Adds a rotation schedule to the secret.
addToResourcePolicy(statement)Adds a statement to the IAM resource policy associated with this secret.
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
attach(target)Attach a target to this secret.
denyAccountRootDelete()Denies the DeleteSecret action to all principals within the current account.
grantRead(grantee, versionStages?)Grants reading the secret value to some role.
grantWrite(grantee)Grants writing and updating the secret value to some role.
secretValueFromJson(jsonField)Interpret the secret as a JSON object and return a field's value from it as a SecretValue.
toString()Returns a string representation of this construct.
static fromSecretAttributes(scope, id, attrs)Import an existing secret into the Stack.
static fromSecretCompleteArn(scope, id, secretCompleteArn)Imports a secret by complete ARN.
static fromSecretNameV2(scope, id, secretName)Imports a secret by secret name.
static fromSecretPartialArn(scope, id, secretPartialArn)Imports a secret by partial ARN.
static isSecret(x)Return whether the given object is a Secret.

addReplicaRegion(region, encryptionKey?)

public addReplicaRegion(region: string, encryptionKey?: IKey): void

Parameters

  • region string — The name of the region.
  • encryptionKey IKey — The customer-managed encryption key to use for encrypting the secret value.

Adds a replica region for the secret.


addRotationSchedule(id, options)

public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule

Parameters

  • id string
  • options RotationScheduleOptions

Returns

  • RotationSchedule

Adds a rotation schedule to the secret.


addToResourcePolicy(statement)

public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult

Parameters

  • statement PolicyStatement

Returns

  • AddToResourcePolicyResult

Adds a statement to the IAM resource policy associated with this secret.

If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.


applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


attach(target)

public attach(target: ISecretAttachmentTarget): ISecret

Parameters

  • target ISecretAttachmentTarget — The target to attach.

Returns

  • ISecret

Attach a target to this secret.


denyAccountRootDelete()

public denyAccountRootDelete(): void

Denies the DeleteSecret action to all principals within the current account.


grantRead(grantee, versionStages?)

public grantRead(grantee: IGrantable, versionStages?: string[]): Grant

Parameters

  • grantee IGrantable
  • versionStages string[]

Returns

  • Grant

Grants reading the secret value to some role.


grantWrite(grantee)

public grantWrite(grantee: IGrantable): Grant

Parameters

  • grantee IGrantable

Returns

  • Grant

Grants writing and updating the secret value to some role.


secretValueFromJson(jsonField)

public secretValueFromJson(jsonField: string): SecretValue

Parameters

  • jsonField string

Returns

  • SecretValue

Interpret the secret as a JSON object and return a field's value from it as a SecretValue.


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


static fromSecretAttributes(scope, id, attrs)

public static fromSecretAttributes(scope: Construct, id: string, attrs: SecretAttributes): ISecret

Parameters

  • scope Construct — the scope of the import.
  • id string — the ID of the imported Secret in the construct tree.
  • attrs SecretAttributes — the attributes of the imported secret.

Returns

  • ISecret

Import an existing secret into the Stack.


static fromSecretCompleteArn(scope, id, secretCompleteArn)

public static fromSecretCompleteArn(scope: Construct, id: string, secretCompleteArn: string): ISecret

Parameters

  • scope Construct
  • id string
  • secretCompleteArn string

Returns

  • ISecret

Imports a secret by complete ARN.

The complete ARN is the ARN with the Secrets Manager-supplied suffix.


static fromSecretNameV2(scope, id, secretName)

public static fromSecretNameV2(scope: Construct, id: string, secretName: string): ISecret

Parameters

  • scope Construct
  • id string
  • secretName string

Returns

  • ISecret

Imports a secret by secret name.

A secret with this name must exist in the same account & region. Replaces the deprecated fromSecretName. Please note this method returns ISecret that only contains partial ARN and could lead to AccessDeniedException when you pass the partial ARN to CLI or SDK to get the secret value. If your secret name ends with a hyphen and 6 characters, you should always use fromSecretCompleteArn() to avoid potential AccessDeniedException.

See also: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen


static fromSecretPartialArn(scope, id, secretPartialArn)

public static fromSecretPartialArn(scope: Construct, id: string, secretPartialArn: string): ISecret

Parameters

  • scope Construct
  • id string
  • secretPartialArn string

Returns

  • ISecret

Imports a secret by partial ARN.

The partial ARN is the ARN without the Secrets Manager-supplied suffix.


static isSecret(x)

public static isSecret(x: any): boolean

Parameters

  • x any

Returns

  • boolean

Return whether the given object is a Secret.