Class Secret
Creates a new secret in AWS SecretsManager.
Inherited Members
Namespace: Amazon.CDK.AWS.SecretsManager
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class Secret : Resource, ISecret, IResource
Syntax (vb)
Public Class Secret
Inherits Resource
Implements ISecret, IResource
Remarks
ExampleMetadata: infused
Examples
Stack stack;
var user = new User(this, "User");
var accessKey = new AccessKey(this, "AccessKey", new AccessKeyProps { User = user });
new Secret(this, "Secret", new SecretProps {
SecretObjectValue = new Dictionary<string, SecretValue> {
{ "username", SecretValue.UnsafePlainText(user.UserName) },
{ "database", SecretValue.UnsafePlainText("foo") },
{ "password", accessKey.SecretAccessKey }
}
});
Synopsis
Constructors
Secret(ByRefValue) | Used by jsii to construct an instance of this class from a Javascript-owned object reference |
Secret(DeputyBase.DeputyProps) | Used by jsii to construct an instance of this class from DeputyProps |
Secret(Construct, String, ISecretProps) |
Properties
ArnForPolicies | Provides an identifier for this secret for use in IAM policies. |
AutoCreatePolicy | |
EncryptionKey | The customer-managed encryption key that is used to encrypt this secret, if any. |
ExcludeCharacters | The string of the characters that are excluded in this secret when it is generated. |
SecretArn | The ARN of the secret in AWS Secrets Manager. |
SecretFullArn | The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. |
SecretName | The name of the secret. |
SecretValue | Retrieve the value of the stored secret as a |
Methods
AddReplicaRegion(String, IKey) | Adds a replica region for the secret. |
AddRotationSchedule(String, IRotationScheduleOptions) | Adds a rotation schedule to the secret. |
AddToResourcePolicy(PolicyStatement) | Adds a statement to the IAM resource policy associated with this secret. |
Attach(ISecretAttachmentTarget) | Attach a target to this secret. |
DenyAccountRootDelete() | Denies the |
FromSecretAttributes(Construct, String, ISecretAttributes) | Import an existing secret into the Stack. |
FromSecretCompleteArn(Construct, String, String) | Imports a secret by complete ARN. |
FromSecretNameV2(Construct, String, String) | Imports a secret by secret name. |
FromSecretPartialArn(Construct, String, String) | Imports a secret by partial ARN. |
GrantRead(IGrantable, String[]) | Grants reading the secret value to some role. |
GrantWrite(IGrantable) | Grants writing and updating the secret value to some role. |
IsSecret(Object) | Return whether the given object is a Secret. |
SecretValueFromJson(String) | Interpret the secret as a JSON object and return a field's value from it as a |
Constructors
Secret(ByRefValue)
Used by jsii to construct an instance of this class from a Javascript-owned object reference
protected Secret(ByRefValue reference)
Parameters
- reference Amazon.JSII.Runtime.Deputy.ByRefValue
The Javascript-owned object reference
Secret(DeputyBase.DeputyProps)
Used by jsii to construct an instance of this class from DeputyProps
protected Secret(DeputyBase.DeputyProps props)
Parameters
- props Amazon.JSII.Runtime.Deputy.DeputyBase.DeputyProps
The deputy props
Secret(Construct, String, ISecretProps)
public Secret(Construct scope, string id, ISecretProps props = null)
Parameters
- scope Constructs.Construct
- id System.String
- props ISecretProps
Properties
ArnForPolicies
Provides an identifier for this secret for use in IAM policies.
protected virtual string ArnForPolicies { get; }
Property Value
System.String
Remarks
If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.
AutoCreatePolicy
protected virtual bool AutoCreatePolicy { get; }
Property Value
System.Boolean
EncryptionKey
The customer-managed encryption key that is used to encrypt this secret, if any.
public virtual IKey EncryptionKey { get; }
Property Value
Remarks
When not specified, the default KMS key for the account and region is being used.
ExcludeCharacters
The string of the characters that are excluded in this secret when it is generated.
public virtual string ExcludeCharacters { get; }
Property Value
System.String
SecretArn
The ARN of the secret in AWS Secrets Manager.
public virtual string SecretArn { get; }
Property Value
System.String
Remarks
Will return the full ARN if available, otherwise a partial arn.
For secrets imported by the deprecated fromSecretName
, it will return the secretName
.
SecretFullArn
The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
public virtual string SecretFullArn { get; }
Property Value
System.String
Remarks
This is equal to secretArn
in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).
SecretName
The name of the secret.
public virtual string SecretName { get; }
Property Value
System.String
Remarks
For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.
SecretValue
Retrieve the value of the stored secret as a SecretValue
.
public virtual SecretValue SecretValue { get; }
Property Value
Methods
AddReplicaRegion(String, IKey)
Adds a replica region for the secret.
public virtual void AddReplicaRegion(string region, IKey encryptionKey = null)
Parameters
- region System.String
The name of the region.
- encryptionKey IKey
The customer-managed encryption key to use for encrypting the secret value.
AddRotationSchedule(String, IRotationScheduleOptions)
Adds a rotation schedule to the secret.
public virtual RotationSchedule AddRotationSchedule(string id, IRotationScheduleOptions options)
Parameters
- id System.String
- options IRotationScheduleOptions
Returns
AddToResourcePolicy(PolicyStatement)
Adds a statement to the IAM resource policy associated with this secret.
public virtual IAddToResourcePolicyResult AddToResourcePolicy(PolicyStatement statement)
Parameters
- statement PolicyStatement
Returns
Remarks
If this secret was created in this stack, a resource policy will be
automatically created upon the first call to addToResourcePolicy
. If
the secret is imported, then this is a no-op.
Attach(ISecretAttachmentTarget)
Attach a target to this secret.
public virtual ISecret Attach(ISecretAttachmentTarget target)
Parameters
- target ISecretAttachmentTarget
The target to attach.
Returns
An attached secret
DenyAccountRootDelete()
Denies the DeleteSecret
action to all principals within the current account.
public virtual void DenyAccountRootDelete()
FromSecretAttributes(Construct, String, ISecretAttributes)
Import an existing secret into the Stack.
public static ISecret FromSecretAttributes(Construct scope, string id, ISecretAttributes attrs)
Parameters
- scope Constructs.Construct
the scope of the import.
- id System.String
the ID of the imported Secret in the construct tree.
- attrs ISecretAttributes
the attributes of the imported secret.
Returns
FromSecretCompleteArn(Construct, String, String)
Imports a secret by complete ARN.
public static ISecret FromSecretCompleteArn(Construct scope, string id, string secretCompleteArn)
Parameters
- scope Constructs.Construct
- id System.String
- secretCompleteArn System.String
Returns
Remarks
The complete ARN is the ARN with the Secrets Manager-supplied suffix.
FromSecretNameV2(Construct, String, String)
Imports a secret by secret name.
public static ISecret FromSecretNameV2(Construct scope, string id, string secretName)
Parameters
- scope Constructs.Construct
- id System.String
- secretName System.String
Returns
Remarks
A secret with this name must exist in the same account & region.
Replaces the deprecated fromSecretName
.
Please note this method returns ISecret that only contains partial ARN and could lead to AccessDeniedException
when you pass the partial ARN to CLI or SDK to get the secret value. If your secret name ends with a hyphen and
6 characters, you should always use fromSecretCompleteArn() to avoid potential AccessDeniedException.
See: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
FromSecretPartialArn(Construct, String, String)
Imports a secret by partial ARN.
public static ISecret FromSecretPartialArn(Construct scope, string id, string secretPartialArn)
Parameters
- scope Constructs.Construct
- id System.String
- secretPartialArn System.String
Returns
Remarks
The partial ARN is the ARN without the Secrets Manager-supplied suffix.
GrantRead(IGrantable, String[])
Grants reading the secret value to some role.
public virtual Grant GrantRead(IGrantable grantee, string[] versionStages = null)
Parameters
- grantee IGrantable
- versionStages System.String[]
Returns
GrantWrite(IGrantable)
Grants writing and updating the secret value to some role.
public virtual Grant GrantWrite(IGrantable grantee)
Parameters
- grantee IGrantable
Returns
IsSecret(Object)
Return whether the given object is a Secret.
public static bool IsSecret(object x)
Parameters
- x System.Object
Returns
System.Boolean
SecretValueFromJson(String)
Interpret the secret as a JSON object and return a field's value from it as a SecretValue
.
public virtual SecretValue SecretValueFromJson(string jsonField)
Parameters
- jsonField System.String
Returns