Class SecretValue
Work with secret values in the CDK.
Implements
Inherited Members
Namespace: Amazon.CDK
Assembly: Amazon.CDK.dll
Syntax (csharp)
public class SecretValue : Intrinsic, IResolvableSyntax (vb)
Public Class SecretValue
Inherits Intrinsic
Implements IResolvableRemarks
Constructs that need secrets will declare parameters of type SecretValue.
The actual values of these secrets should not be committed to your
repository, or even end up in the synthesized CloudFormation template. Instead, you should
store them in an external system like AWS Secrets Manager or SSM Parameter
Store, and you can reference them by calling SecretValue.secretsManager() or
SecretValue.ssmSecure().
You can use SecretValue.unsafePlainText() to construct a SecretValue from a
literal string, but doing so is highly discouraged.
To make sure secret values don't accidentally end up in readable parts
of your infrastructure definition (such as the environment variables
of an AWS Lambda Function, where everyone who can read the function
definition has access to the secret), using secret values directly is not
allowed. You must pass them to constructs that accept SecretValue
properties, which are guaranteed to use the value only in CloudFormation
properties that are write-only.
If you are sure that what you are doing is safe, you can call
secretValue.unsafeUnwrap() to access the protected string of the secret
value.
(If you are writing something like an AWS Lambda Function and need to access
a secret inside it, make the API call to GetSecretValue directly inside
your Lamba's code, instead of using environment variables.)
ExampleMetadata: infused
Examples
// Read the secret from Secrets Manager
var pipeline = new Pipeline(this, "MyPipeline");
var sourceOutput = new Artifact();
var sourceAction = new GitHubSourceAction(new GitHubSourceActionProps {
ActionName = "GitHub_Source",
Owner = "awslabs",
Repo = "aws-cdk",
OauthToken = SecretValue.SecretsManager("my-github-token"),
Output = sourceOutput,
Branch = "develop"
});
pipeline.AddStage(new StageOptions {
StageName = "Source",
Actions = new [] { sourceAction }
});Synopsis
Constructors
| SecretValue(ByRefValue) | Used by jsii to construct an instance of this class from a Javascript-owned object reference |
| SecretValue(DeputyBase.DeputyProps) | Used by jsii to construct an instance of this class from DeputyProps |
| SecretValue(Object, IIntrinsicProps) | Construct a SecretValue (do not use!). |
Methods
| CfnDynamicReference(CfnDynamicReference) | Obtain the secret value through a CloudFormation dynamic reference. |
| CfnParameter(CfnParameter) | Obtain the secret value through a CloudFormation parameter. |
| IsSecretValue(Object) | Test whether an object is a SecretValue. |
| PlainText(String) | (deprecated) Construct a literal secret value for use with secret-aware constructs. |
| Resolve(IResolveContext) | Resolve the secret. |
| ResourceAttribute(String) | Use a resource's output as secret value. |
| SecretsManager(String, ISecretsManagerSecretOptions) | Creates a |
| SsmSecure(String, String) | Use a secret value stored from a Systems Manager (SSM) parameter. |
| UnsafePlainText(String) | Construct a literal secret value for use with secret-aware constructs. |
| UnsafeUnwrap() | Disable usage protection on this secret. |
Constructors
SecretValue(ByRefValue)
Used by jsii to construct an instance of this class from a Javascript-owned object reference
protected SecretValue(ByRefValue reference)Parameters
- reference Amazon.JSII.Runtime.Deputy.ByRefValue
The Javascript-owned object reference
SecretValue(DeputyBase.DeputyProps)
Used by jsii to construct an instance of this class from DeputyProps
protected SecretValue(DeputyBase.DeputyProps props)Parameters
- props Amazon.JSII.Runtime.Deputy.DeputyBase.DeputyProps
The deputy props
SecretValue(Object, IIntrinsicProps)
Construct a SecretValue (do not use!).
public SecretValue(object protectedValue, IIntrinsicProps options = null)Parameters
- protectedValue System.Object
- options IIntrinsicProps
Remarks
Do not use the constructor directly: use one of the factory functions on the class instead.
Methods
CfnDynamicReference(CfnDynamicReference)
Obtain the secret value through a CloudFormation dynamic reference.
public static SecretValue CfnDynamicReference(CfnDynamicReference ref)Parameters
- ref CfnDynamicReference
The dynamic reference to use.
Returns
Remarks
If possible, use SecretValue.ssmSecure or SecretValue.secretsManager directly.
CfnParameter(CfnParameter)
Obtain the secret value through a CloudFormation parameter.
public static SecretValue CfnParameter(CfnParameter param)Parameters
- param CfnParameter
The CloudFormation parameter to use.
Returns
Remarks
Generally, this is not a recommended approach. AWS Secrets Manager is the recommended way to reference secrets.
IsSecretValue(Object)
Test whether an object is a SecretValue.
public static bool IsSecretValue(object x)Parameters
- x System.Object
Returns
System.Boolean
PlainText(String)
(deprecated) Construct a literal secret value for use with secret-aware constructs.
public static SecretValue PlainText(string secret)Parameters
- secret System.String
Returns
Remarks
Do not use this method for any secrets that you care about! The value will be visible to anyone who has access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
The only reasonable use case for using this method is when you are testing.
Stability: Deprecated
Resolve(IResolveContext)
Resolve the secret.
public override object Resolve(IResolveContext context)Parameters
- context IResolveContext
Returns
System.Object
Overrides
Remarks
If the feature flag is not set, resolve as normal. Otherwise, throw a descriptive error that the usage guard is missing.
ResourceAttribute(String)
Use a resource's output as secret value.
public static SecretValue ResourceAttribute(string attr)Parameters
- attr System.String
Returns
SecretsManager(String, ISecretsManagerSecretOptions)
Creates a SecretValue with a value which is dynamically loaded from AWS Secrets Manager.
public static SecretValue SecretsManager(string secretId, ISecretsManagerSecretOptions options = null)Parameters
- secretId System.String
The ID or ARN of the secret.
- options ISecretsManagerSecretOptions
Options.
Returns
SsmSecure(String, String)
Use a secret value stored from a Systems Manager (SSM) parameter.
public static SecretValue SsmSecure(string parameterName, string version = null)Parameters
- parameterName System.String
The name of the parameter in the Systems Manager Parameter Store.
- version System.String
An integer that specifies the version of the parameter to use.
Returns
UnsafePlainText(String)
Construct a literal secret value for use with secret-aware constructs.
public static SecretValue UnsafePlainText(string secret)Parameters
- secret System.String
Returns
Remarks
Do not use this method for any secrets that you care about! The value will be visible to anyone who has access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
The only reasonable use case for using this method is when you are testing.
UnsafeUnwrap()
Disable usage protection on this secret.
public virtual string UnsafeUnwrap()Returns
System.String
Remarks
Call this to indicate that you want to use the secret value held by this object in an unchecked way. If you don't call this method, using the secret value directly in a string context or as a property value somewhere will produce an error.
This method has 'unsafe' in the name on purpose! Make sure that the construct property you are using the returned value in is does not end up in a place in your AWS infrastructure where it could be read by anyone unexpected.
When in doubt, don't call this method and only pass the object to constructs that
accept SecretValue parameters.