The CDK Construct Library for AWS::SecretsManager
Project description
AWS Secrets Manager Construct Library
---# Example automatically generated. See https://github.com/aws/jsii/issues/826
secretsmanager = require("@aws-cdk/aws-secretsmanager")
Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically, you can get started with the following:
# Example automatically generated. See https://github.com/aws/jsii/issues/826
# Default secret
secret = secretsmanager.Secret(self, "Secret")
secret.grant_read(role)
iam.User(self, "User",
password=secret.secret_value
)
# Templated secret
templated_secret = secretsmanager.Secret(self, "TemplatedSecret",
generate_secret_string=SecretStringGenerator(
secret_string_template=JSON.stringify(username="user"),
generate_string_key="password"
)
)
iam.User(self, "OtherUser",
user_name=templated_secret.secret_value_from_json("username").to_string(),
password=templated_secret.secret_value_from_json("password")
)
The Secret
construct does not allow specifying the SecretString
property
of the AWS::SecretsManager::Secret
resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in AWS SecretsManager and use the Secret.fromSecretArn
or Secret.fromSecretAttributes
method to make it available in your CDK Application:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
secret = secretsmanager.Secret.from_secret_attributes(scope, "ImportedSecret",
secret_arn="arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>",
# If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
encryption_key=encryption_key
)
SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.
Rotating a Secret with a custom Lambda function
A rotation schedule can be added to a Secret using a custom Lambda function:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
fn = lambda.Function(...)
secret = secretsmanager.Secret(self, "Secret")
secret.add_rotation_schedule("RotationSchedule",
rotation_lambda=fn,
automatically_after=Duration.days(15)
)
See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.
Rotating database credentials
Define a SecretRotation
to rotate database credentials:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
SecretRotation(self, "SecretRotation",
application=SecretRotationApplication.MYSQL_ROTATION_SINGLE_USER, # MySQL single user scheme
secret=my_secret,
target=my_database, # a Connectable
vpc=my_vpc
)
The secret must be a JSON string with the following format:
{
"engine": "<required: database engine>",
"host": "<required: instance host name>",
"username": "<required: username>",
"password": "<required: password>",
"dbname": "<optional: database name>",
"port": "<optional: if not specified, default port will be used>",
"masterarn": "<required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>"
}
For the multi user scheme, a masterSecret
must be specified:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
SecretRotation(stack, "SecretRotation",
application=SecretRotationApplication.MYSQL_ROTATION_MULTI_USER,
secret=my_user_secret, # The secret that will be rotated
master_secret=my_master_secret, # The secret used for the rotation
target=my_database,
vpc=my_vpc
)
See also aws-rds where credentials generation and rotation is integrated.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws-cdk.aws-secretsmanager-1.23.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 707d19166e6bf965c480f16ef7694a540c98a8b533754b8f9c5988d33ea49f56 |
|
MD5 | b9e49d5c69d58e6e7d65831674d5dad8 |
|
BLAKE2b-256 | 8889c2585ab2445e4b0fa8188d0bab98206a51d703b1782316aeec526d440b90 |
Hashes for aws_cdk.aws_secretsmanager-1.23.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0fea9b6f9b0aceaca39596fd40fdbc7248adf5a2e281900488bafdcc75221a80 |
|
MD5 | f6014793bcdcc36e5fed19763beca0ab |
|
BLAKE2b-256 | 998b04058bad467bb61036832b81c07f9cdd9a474c8e17b977717168b05f6161 |