The CDK Construct Library for AWS::SecretsManager
Project description
AWS Secrets Manager Construct Library
This is a developer preview (public beta) module. Releases might lack important features and might have future breaking changes.
const secretsmanager = require('@aws-cdk/aws-secretsmanager');
Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically, you can get started with the following:
// Default secret
const secret = new secretsManager.Secret(this, 'Secret');
secret.grantRead(role);
new iam.User(this, 'User', {
password: secret.secretValue
});
// Templated secret
const templatedSecret = new secretsManager.Secret(this, 'TemplatedSecret', {
generateSecretString: {
secretStringTemplate: JSON.stringify({ username: 'user' }),
generateStringKey: 'password'
}
});
new iam.User(this, 'OtherUser', {
userName: templatedSecret.secretValueFromJson('username').toString(),
password: templatedSecret.secretValueFromJson('password')
});
The Secret construct does not allow specifying the SecretString property
of the AWS::SecretsManager::Secret resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in AWS SecretsManager and use the Secret.fromSecretArn
or Secret.fromSecretAttributes method to make it available in your CDK Application:
const secret = Secret.fromSecretAttributes(scope, 'ImportedSecret', {
secretArn: 'arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>',
// If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
encryptionKey,
});
SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.
Rotating a Secret
A rotation schedule can be added to a Secret:
const fn = new lambda.Function(...);
const secret = new secretsManager.Secret(this, 'Secret');
secret.addRotationSchedule('RotationSchedule', {
rotationLambda: fn,
automaticallyAfterDays: 15
});
See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.
For RDS credentials rotation, see aws-rds.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aws-cdk.aws-secretsmanager-0.37.0.tar.gz.
File metadata
- Download URL: aws-cdk.aws-secretsmanager-0.37.0.tar.gz
- Upload date:
- Size: 61.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.6.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2b932f2e852ba70145d773dc2e46cedbd23fdd3a189393a2ef15e03104ebcf3e
|
|
| MD5 |
e304af13eff0dc162872687db7279630
|
|
| BLAKE2b-256 |
15e0fde6baddb22fbc38d031fe702de0dd6d576b83da134bac414e13f8514cfa
|
File details
Details for the file aws_cdk.aws_secretsmanager-0.37.0-py3-none-any.whl.
File metadata
- Download URL: aws_cdk.aws_secretsmanager-0.37.0-py3-none-any.whl
- Upload date:
- Size: 60.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.6.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
954ec61fc37e6282693c1c9b930299a8f8403afbd3141bae8c991e58373423fd
|
|
| MD5 |
ea7c6bcc8367baf893ae04690d09fec7
|
|
| BLAKE2b-256 |
362791eb648738356b7a15911ee9f420a9c3a035be7f6a99d9d502f00766af3c
|
