The CDK Construct Library for AWS::SecretsManager
Project description
AWS Secrets Manager Construct Library
---
# Example automatically generated. See https://github.com/aws/jsii/issues/826
import aws_cdk.aws_secretsmanager as secretsmanager
Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically, you can get started with the following:
# Example automatically generated. See https://github.com/aws/jsii/issues/826
# Default secret
secret = secretsmanager.Secret(self, "Secret")
secret.grant_read(role)
iam.User(self, "User",
password=secret.secret_value
)
# Templated secret
templated_secret = secretsmanager.Secret(self, "TemplatedSecret",
generate_secret_string=SecretStringGenerator(
secret_string_template=JSON.stringify(username="user"),
generate_string_key="password"
)
)
iam.User(self, "OtherUser",
user_name=templated_secret.secret_value_from_json("username").to_string(),
password=templated_secret.secret_value_from_json("password")
)
The Secret construct does not allow specifying the SecretString property
of the AWS::SecretsManager::Secret resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in AWS SecretsManager and use the Secret.fromSecretArn
or Secret.fromSecretAttributes method to make it available in your CDK Application:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
secret = secretsmanager.Secret.from_secret_attributes(scope, "ImportedSecret",
secret_arn="arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>",
# If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
encryption_key=encryption_key
)
SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.
A secret can set RemovalPolicy. If it set to RETAIN, that removing a secret will fail.
Grant permission to use the secret to a role
You must grant permission to a resource for that resource to be allowed to
use a secret. This can be achieved with the Secret.grantRead and/or Secret.grantUpdate
method, depending on your need:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
role = iam.Role(stack, "SomeRole", assumed_by=iam.AccountRootPrincipal())
secret = secretsmanager.Secret(stack, "Secret")
secret.grant_read(role)
secret.grant_write(role)
If, as in the following example, your secret was created with a KMS key:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
key = kms.Key(stack, "KMS")
secret = secretsmanager.Secret(stack, "Secret", encryption_key=key)
secret.grant_read(role)
secret.grant_write(role)
then Secret.grantRead and Secret.grantWrite will also grant the role the
relevant encrypt and decrypt permissions to the KMS key through the
SecretsManager service principal.
Rotating a Secret with a custom Lambda function
A rotation schedule can be added to a Secret using a custom Lambda function:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
fn = lambda.Function(...)
secret = secretsmanager.Secret(self, "Secret")
secret.add_rotation_schedule("RotationSchedule",
rotation_lambda=fn,
automatically_after=Duration.days(15)
)
See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.
Rotating database credentials
Define a SecretRotation to rotate database credentials:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
SecretRotation(self, "SecretRotation",
application=SecretRotationApplication.MYSQL_ROTATION_SINGLE_USER, # MySQL single user scheme
secret=my_secret,
target=my_database, # a Connectable
vpc=my_vpc
)
The secret must be a JSON string with the following format:
{
"engine": "<required: database engine>",
"host": "<required: instance host name>",
"username": "<required: username>",
"password": "<required: password>",
"dbname": "<optional: database name>",
"port": "<optional: if not specified, default port will be used>",
"masterarn": "<required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>"
}
For the multi user scheme, a masterSecret must be specified:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
SecretRotation(stack, "SecretRotation",
application=SecretRotationApplication.MYSQL_ROTATION_MULTI_USER,
secret=my_user_secret, # The secret that will be rotated
master_secret=my_master_secret, # The secret used for the rotation
target=my_database,
vpc=my_vpc
)
See also aws-rds where credentials generation and rotation is integrated.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws-cdk.aws-secretsmanager-1.60.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c749fd45c9e56fb100db22db2b4f95898036c0f35a747c4f6f2ef53da7699bb9 |
|
| MD5 | 056acb8bdbbe6462151cbdeeac9b9e39 |
|
| BLAKE2b-256 | 2cd846bee1611944fce0788716eab5be99ac699f61d67128ee7c1a9f6afdd125 |
Hashes for aws_cdk.aws_secretsmanager-1.60.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ed79c2d919f8372b78e57d83d0937dcd6ecdef69a098aca5baf1faddd85f42d8 |
|
| MD5 | 973906ac042a612445bb82cfbd16577e |
|
| BLAKE2b-256 | d324955200793ef3697609b2e92a2035e218bc8609cf7f3a3ea7333320b90c68 |
