Package software.amazon.awscdk.services.secretsmanager

Class Secret

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.Resource
software.amazon.awscdk.services.secretsmanager.Secret
All Implemented Interfaces:
IResource, ISecret, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
Direct Known Subclasses:
DatabaseSecret, DatabaseSecret, DatabaseSecret
@Generated(value="jsii-pacmak/1.97.0 (build 729de35)", date="2024-04-24T21:00:37.351Z") @Stability(Stable) public class Secret extends Resource implements ISecret
Creates a new secret in AWS SecretsManager.

Example: 

 Stack stack;
 User user = new User(this, "User");
 AccessKey accessKey = AccessKey.Builder.create(this, "AccessKey").user(user).build();
 Secret.Builder.create(this, "Secret")
         .secretObjectValue(Map.of(
                 "username", SecretValue.unsafePlainText(user.getUserName()),
                 "database", SecretValue.unsafePlainText("foo"),
                 "password", accessKey.getSecretAccessKey()))
         .build();

  • Constructor Details

    • Secret

      protected Secret(software.amazon.jsii.JsiiObjectRef objRef)

    • Secret

      protected Secret(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • Secret

      @Stability(Stable) public Secret(@NotNull software.constructs.Construct scope, @NotNull String id, @Nullable SecretProps props)
      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      props -

    • Secret

      @Stability(Stable) public Secret(@NotNull software.constructs.Construct scope, @NotNull String id)
      Parameters:
      scope - This parameter is required.
      id - This parameter is required.

  • Method Details

    • fromSecretAttributes

      @Stability(Stable) @NotNull public static ISecret fromSecretAttributes(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull SecretAttributes attrs)
      Import an existing secret into the Stack.

      Parameters:
      scope - the scope of the import. This parameter is required.
      id - the ID of the imported Secret in the construct tree. This parameter is required.
      attrs - the attributes of the imported secret. This parameter is required.

    • fromSecretCompleteArn

      @Stability(Stable) @NotNull public static ISecret fromSecretCompleteArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String secretCompleteArn)
      Imports a secret by complete ARN.

      The complete ARN is the ARN with the Secrets Manager-supplied suffix.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      secretCompleteArn - This parameter is required.

    • fromSecretNameV2

      @Stability(Stable) @NotNull public static ISecret fromSecretNameV2(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String secretName)
      Imports a secret by secret name.

      A secret with this name must exist in the same account & region. Replaces the deprecated fromSecretName. Please note this method returns ISecret that only contains partial ARN and could lead to AccessDeniedException when you pass the partial ARN to CLI or SDK to get the secret value. If your secret name ends with a hyphen and 6 characters, you should always use fromSecretCompleteArn() to avoid potential AccessDeniedException.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      secretName - This parameter is required.
      See Also:

    • fromSecretPartialArn

      @Stability(Stable) @NotNull public static ISecret fromSecretPartialArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String secretPartialArn)
      Imports a secret by partial ARN.

      The partial ARN is the ARN without the Secrets Manager-supplied suffix.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      secretPartialArn - This parameter is required.

    • isSecret

      @Stability(Stable) @NotNull public static Boolean isSecret(@NotNull Object x)
      Return whether the given object is a Secret.

      Parameters:
      x - This parameter is required.

    • addReplicaRegion

      @Stability(Stable) public void addReplicaRegion(@NotNull String region, @Nullable IKey encryptionKey)
      Adds a replica region for the secret.

      Parameters:
      region - The name of the region. This parameter is required.
      encryptionKey - The customer-managed encryption key to use for encrypting the secret value.

    • addReplicaRegion

      @Stability(Stable) public void addReplicaRegion(@NotNull String region)
      Adds a replica region for the secret.

      Parameters:
      region - The name of the region. This parameter is required.

    • addRotationSchedule

      @Stability(Stable) @NotNull public RotationSchedule addRotationSchedule(@NotNull String id, @NotNull RotationScheduleOptions options)
      Adds a rotation schedule to the secret.

      Specified by:
      addRotationSchedule in interface ISecret
      Parameters:
      id - This parameter is required.
      options - This parameter is required.

    • addToResourcePolicy

      @Stability(Stable) @NotNull public AddToResourcePolicyResult addToResourcePolicy(@NotNull PolicyStatement statement)
      Adds a statement to the IAM resource policy associated with this secret.

      If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.

      Specified by:
      addToResourcePolicy in interface ISecret
      Parameters:
      statement - This parameter is required.

    • attach

      @Stability(Stable) @NotNull public ISecret attach(@NotNull ISecretAttachmentTarget target)
      Attach a target to this secret.

      Specified by:
      attach in interface ISecret
      Parameters:
      target - The target to attach. This parameter is required.
      Returns:
      An attached secret

    • denyAccountRootDelete

      @Stability(Stable) public void denyAccountRootDelete()
      Denies the DeleteSecret action to all principals within the current account.
      Specified by:
      denyAccountRootDelete in interface ISecret

    • grantRead

      @Stability(Stable) @NotNull public Grant grantRead(@NotNull IGrantable grantee, @Nullable List<String> versionStages)
      Grants reading the secret value to some role.

      Specified by:
      grantRead in interface ISecret
      Parameters:
      grantee - This parameter is required.
      versionStages -

    • grantRead

      @Stability(Stable) @NotNull public Grant grantRead(@NotNull IGrantable grantee)
      Grants reading the secret value to some role.

      Specified by:
      grantRead in interface ISecret
      Parameters:
      grantee - This parameter is required.

    • grantWrite

      @Stability(Stable) @NotNull public Grant grantWrite(@NotNull IGrantable grantee)
      Grants writing and updating the secret value to some role.

      Specified by:
      grantWrite in interface ISecret
      Parameters:
      grantee - This parameter is required.

    • secretValueFromJson

      @Stability(Stable) @NotNull public SecretValue secretValueFromJson(@NotNull String jsonField)
      Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

      Specified by:
      secretValueFromJson in interface ISecret
      Parameters:
      jsonField - This parameter is required.

    • getArnForPolicies

      @Stability(Stable) @NotNull protected String getArnForPolicies()
      Provides an identifier for this secret for use in IAM policies.

      If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.

    • getAutoCreatePolicy

      @Stability(Stable) @NotNull protected Boolean getAutoCreatePolicy()

    • getSecretArn

      @Stability(Stable) @NotNull public String getSecretArn()
      The ARN of the secret in AWS Secrets Manager.

      Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

      Specified by:
      getSecretArn in interface ISecret

    • getSecretName

      @Stability(Stable) @NotNull public String getSecretName()
      The name of the secret.

      For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

      Specified by:
      getSecretName in interface ISecret

    • getSecretValue

      @Stability(Stable) @NotNull public SecretValue getSecretValue()
      Retrieve the value of the stored secret as a SecretValue.
      Specified by:
      getSecretValue in interface ISecret

    • getEncryptionKey

      @Stability(Stable) @Nullable public IKey getEncryptionKey()
      The customer-managed encryption key that is used to encrypt this secret, if any.

      When not specified, the default KMS key for the account and region is being used.

      Specified by:
      getEncryptionKey in interface ISecret

    • getExcludeCharacters

      @Stability(Stable) @Nullable public String getExcludeCharacters()
      The string of the characters that are excluded in this secret when it is generated.

    • getSecretFullArn

      @Stability(Stable) @Nullable public String getSecretFullArn()
      The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

      This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

      Specified by:
      getSecretFullArn in interface ISecret