The CDK Construct Library for AWS::SecretsManager
Project description
AWS Secrets Manager Construct Library
---# Example may have issues. See https://github.com/aws/jsii/issues/826
secretsmanager = require("@aws-cdk/aws-secretsmanager")
Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically, you can get started with the following:
# Example may have issues. See https://github.com/aws/jsii/issues/826
# Default secret
secret = secretsmanager.Secret(self, "Secret")
secret.grant_read(role)
iam.User(self, "User",
password=secret.secret_value
)
# Templated secret
templated_secret = secretsmanager.Secret(self, "TemplatedSecret",
generate_secret_string={
"secret_string_template": JSON.stringify(username="user"),
"generate_string_key": "password"
}
)
iam.User(self, "OtherUser",
user_name=templated_secret.secret_value_from_json("username").to_string(),
password=templated_secret.secret_value_from_json("password")
)
The Secret
construct does not allow specifying the SecretString
property
of the AWS::SecretsManager::Secret
resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in AWS SecretsManager and use the Secret.fromSecretArn
or Secret.fromSecretAttributes
method to make it available in your CDK Application:
# Example may have issues. See https://github.com/aws/jsii/issues/826
secret = secretsmanager.Secret.from_secret_attributes(scope, "ImportedSecret",
secret_arn="arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>",
# If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
encryption_key=encryption_key
)
SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.
Rotating a Secret
A rotation schedule can be added to a Secret:
# Example may have issues. See https://github.com/aws/jsii/issues/826
fn = lambda.Function(...)
secret = secretsmanager.Secret(self, "Secret")
secret.add_rotation_schedule("RotationSchedule",
rotation_lambda=fn,
automatically_after=Duration.days(15)
)
See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.
For RDS credentials rotation, see aws-rds.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws-cdk.aws-secretsmanager-1.14.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 04266c25bc7884ddecd5bc3cb3a32b74f79066cf6245f2851944701b9c42c7ca |
|
MD5 | cbe8834ce877eeb1e6e1c9a83ae33e30 |
|
BLAKE2b-256 | 5f3a48f36ab84cd09614a632e54d9fb74754e6afce011d6ca0942caf3d0c8246 |
Hashes for aws_cdk.aws_secretsmanager-1.14.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9a8251e3250b8c0968e3d925c4d658bc5d8dc6cafb4cefcf8409d7161cbd9635 |
|
MD5 | ce9888e9cdcca8ae7eebd761a73b997e |
|
BLAKE2b-256 | 17f4e97258522acc1716b6b269eeb47d8e227b81f3654b399b03ef6b3f369775 |