aws-cdk-lib.aws_secretsmanager.SecretTargetAttachment

class SecretTargetAttachment (construct)

LanguageType name
.NETAmazon.CDK.AWS.SecretsManager.SecretTargetAttachment
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awssecretsmanager#SecretTargetAttachment
Javasoftware.amazon.awscdk.services.secretsmanager.SecretTargetAttachment
Pythonaws_cdk.aws_secretsmanager.SecretTargetAttachment
TypeScript (source)aws-cdk-lib » aws_secretsmanager » SecretTargetAttachment

Implements IConstruct, IDependable, IResource, ISecretTargetAttachment, ISecret

An attached secret.

Example

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_secretsmanager as secretsmanager } from 'aws-cdk-lib';

declare const secret: secretsmanager.Secret;
declare const secretAttachmentTarget: secretsmanager.ISecretAttachmentTarget;
const secretTargetAttachment = new secretsmanager.SecretTargetAttachment(this, 'MySecretTargetAttachment', {
  secret: secret,
  target: secretAttachmentTarget,
});

Initializer

new SecretTargetAttachment(scope: Construct, id: string, props: SecretTargetAttachmentProps)

Parameters

  • scope Construct
  • id string
  • props SecretTargetAttachmentProps

Construct Props

NameTypeDescription
secretISecretThe secret to attach to the target.
targetISecretAttachmentTargetThe target to attach the secret to.

secret

Type: ISecret

The secret to attach to the target.


target

Type: ISecretAttachmentTarget

The target to attach the secret to.

Properties

NameTypeDescription
arnForPoliciesstringProvides an identifier for this secret for use in IAM policies.
autoCreatePolicyboolean
envResourceEnvironmentThe environment this resource belongs to.
nodeNodeThe tree node.
secretArnstringThe ARN of the secret in AWS Secrets Manager.
secretNamestringThe name of the secret.
secretTargetAttachmentSecretArnstringSame as secretArn.
secretValueSecretValueRetrieve the value of the stored secret as a SecretValue.
stackStackThe stack in which this resource is defined.
encryptionKey?IKeyThe customer-managed encryption key that is used to encrypt this secret, if any.
secretFullArn?stringThe full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

arnForPolicies

Type: string

Provides an identifier for this secret for use in IAM policies.

If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.


autoCreatePolicy

Type: boolean


env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


node

Type: Node

The tree node.


secretArn

Type: string

The ARN of the secret in AWS Secrets Manager.

Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.


secretName

Type: string

The name of the secret.

For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.


secretTargetAttachmentSecretArn

Type: string

Same as secretArn.


secretValue

Type: SecretValue

Retrieve the value of the stored secret as a SecretValue.


stack

Type: Stack

The stack in which this resource is defined.


encryptionKey?

Type: IKey (optional)

The customer-managed encryption key that is used to encrypt this secret, if any.

When not specified, the default KMS key for the account and region is being used.


secretFullArn?

Type: string (optional)

The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

Methods

NameDescription
addRotationSchedule(id, options)Adds a rotation schedule to the secret.
addToResourcePolicy(statement)Forward any additions to the resource policy to the original secret.
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
attach(target)Attach a target to this secret.
denyAccountRootDelete()Denies the DeleteSecret action to all principals within the current account.
grantRead(grantee, versionStages?)Grants reading the secret value to some role.
grantWrite(grantee)Grants writing and updating the secret value to some role.
secretValueFromJson(jsonField)Interpret the secret as a JSON object and return a field's value from it as a SecretValue.
toString()Returns a string representation of this construct.
static fromSecretTargetAttachmentSecretArn(scope, id, secretTargetAttachmentSecretArn)

addRotationSchedule(id, options)

public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule

Parameters

  • id string
  • options RotationScheduleOptions

Returns

  • RotationSchedule

Adds a rotation schedule to the secret.


addToResourcePolicy(statement)

public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult

Parameters

  • statement PolicyStatement

Returns

  • AddToResourcePolicyResult

Forward any additions to the resource policy to the original secret.

This is required because a secret can only have a single resource policy. If we do not forward policy additions, a new policy resource is created using the secret attachment ARN. This ends up being rejected by CloudFormation.


applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


attach(target)

public attach(target: ISecretAttachmentTarget): ISecret

Parameters

  • target ISecretAttachmentTarget — The target to attach.

Returns

  • ISecret

Attach a target to this secret.


denyAccountRootDelete()

public denyAccountRootDelete(): void

Denies the DeleteSecret action to all principals within the current account.


grantRead(grantee, versionStages?)

public grantRead(grantee: IGrantable, versionStages?: string[]): Grant

Parameters

  • grantee IGrantable
  • versionStages string[]

Returns

  • Grant

Grants reading the secret value to some role.


grantWrite(grantee)

public grantWrite(grantee: IGrantable): Grant

Parameters

  • grantee IGrantable

Returns

  • Grant

Grants writing and updating the secret value to some role.


secretValueFromJson(jsonField)

public secretValueFromJson(jsonField: string): SecretValue

Parameters

  • jsonField string

Returns

  • SecretValue

Interpret the secret as a JSON object and return a field's value from it as a SecretValue.


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


static fromSecretTargetAttachmentSecretArn(scope, id, secretTargetAttachmentSecretArn)

public static fromSecretTargetAttachmentSecretArn(scope: Construct, id: string, secretTargetAttachmentSecretArn: string): ISecretTargetAttachment

Parameters

  • scope Construct
  • id string
  • secretTargetAttachmentSecretArn string

Returns

  • ISecretTargetAttachment