@Generated(value="jsii-pacmak/1.73.0 (build 6faeda3)", date="2023-01-31T18:36:45.221Z") public class SecretValue extends Intrinsic
Constructs that need secrets will declare parameters of type SecretValue
.
The actual values of these secrets should not be committed to your
repository, or even end up in the synthesized CloudFormation template. Instead, you should
store them in an external system like AWS Secrets Manager or SSM Parameter
Store, and you can reference them by calling SecretValue.secretsManager()
or
SecretValue.ssmSecure()
.
You can use SecretValue.unsafePlainText()
to construct a SecretValue
from a
literal string, but doing so is highly discouraged.
To make sure secret values don't accidentally end up in readable parts
of your infrastructure definition (such as the environment variables
of an AWS Lambda Function, where everyone who can read the function
definition has access to the secret), using secret values directly is not
allowed. You must pass them to constructs that accept SecretValue
properties, which are guaranteed to use the value only in CloudFormation
properties that are write-only.
If you are sure that what you are doing is safe, you can call
secretValue.unsafeUnwrap()
to access the protected string of the secret
value.
(If you are writing something like an AWS Lambda Function and need to access
a secret inside it, make the API call to GetSecretValue
directly inside
your Lamba's code, instead of using environment variables.)
Example:
// Read the secret from Secrets Manager Pipeline pipeline = new Pipeline(this, "MyPipeline"); Artifact sourceOutput = new Artifact(); GitHubSourceAction sourceAction = GitHubSourceAction.Builder.create() .actionName("GitHub_Source") .owner("awslabs") .repo("aws-cdk") .oauthToken(SecretValue.secretsManager("my-github-token")) .output(sourceOutput) .branch("develop") .build(); pipeline.addStage(StageOptions.builder() .stageName("Source") .actions(List.of(sourceAction)) .build());
Modifier and Type | Class and Description |
---|---|
static class |
SecretValue.Builder
A fluent builder for
SecretValue . |
IResolvable.Jsii$Default, IResolvable.Jsii$Proxy
Modifier | Constructor and Description |
---|---|
|
SecretValue(java.lang.Object protectedValue,
IntrinsicProps options)
Construct a SecretValue (do not use!).
|
protected |
SecretValue(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) |
protected |
SecretValue(software.amazon.jsii.JsiiObjectRef objRef) |
Modifier and Type | Method and Description |
---|---|
static SecretValue |
cfnDynamicReference(CfnDynamicReference ref)
Obtain the secret value through a CloudFormation dynamic reference.
|
static SecretValue |
cfnParameter(CfnParameter param)
Obtain the secret value through a CloudFormation parameter.
|
static java.lang.Boolean |
isSecretValue(java.lang.Object x)
Test whether an object is a SecretValue.
|
static SecretValue |
plainText(java.lang.String secret)
Deprecated.
Use `unsafePlainText()` instead.
|
java.lang.Object |
resolve(IResolveContext context)
Resolve the secret.
|
static SecretValue |
resourceAttribute(java.lang.String attr)
Use a resource's output as secret value.
|
static SecretValue |
secretsManager(java.lang.String secretId)
Creates a `SecretValue` with a value which is dynamically loaded from AWS Secrets Manager.
|
static SecretValue |
secretsManager(java.lang.String secretId,
SecretsManagerSecretOptions options)
Creates a `SecretValue` with a value which is dynamically loaded from AWS Secrets Manager.
|
static SecretValue |
ssmSecure(java.lang.String parameterName)
Use a secret value stored from a Systems Manager (SSM) parameter.
|
static SecretValue |
ssmSecure(java.lang.String parameterName,
java.lang.String version)
Use a secret value stored from a Systems Manager (SSM) parameter.
|
static SecretValue |
unsafePlainText(java.lang.String secret)
Construct a literal secret value for use with secret-aware constructs.
|
java.lang.String |
unsafeUnwrap()
Disable usage protection on this secret.
|
getCreationStack, newError, toJSON, toString
protected SecretValue(software.amazon.jsii.JsiiObjectRef objRef)
protected SecretValue(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
public SecretValue(java.lang.Object protectedValue, IntrinsicProps options)
Do not use the constructor directly: use one of the factory functions on the class instead.
protectedValue
- This parameter is required.options
- public static SecretValue cfnDynamicReference(CfnDynamicReference ref)
If possible, use SecretValue.ssmSecure
or SecretValue.secretsManager
directly.
ref
- The dynamic reference to use. This parameter is required.public static SecretValue cfnParameter(CfnParameter param)
Generally, this is not a recommended approach. AWS Secrets Manager is the recommended way to reference secrets.
param
- The CloudFormation parameter to use. This parameter is required.public static java.lang.Boolean isSecretValue(java.lang.Object x)
x
- This parameter is required.@Deprecated public static SecretValue plainText(java.lang.String secret)
Do not use this method for any secrets that you care about! The value will be visible to anyone who has access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
The only reasonable use case for using this method is when you are testing.
secret
- This parameter is required.public static SecretValue resourceAttribute(java.lang.String attr)
attr
- This parameter is required.public static SecretValue secretsManager(java.lang.String secretId, SecretsManagerSecretOptions options)
secretId
- The ID or ARN of the secret. This parameter is required.options
- Options.public static SecretValue secretsManager(java.lang.String secretId)
secretId
- The ID or ARN of the secret. This parameter is required.public static SecretValue ssmSecure(java.lang.String parameterName, java.lang.String version)
parameterName
- The name of the parameter in the Systems Manager Parameter Store. This parameter is required.version
- An integer that specifies the version of the parameter to use.public static SecretValue ssmSecure(java.lang.String parameterName)
parameterName
- The name of the parameter in the Systems Manager Parameter Store. This parameter is required.public static SecretValue unsafePlainText(java.lang.String secret)
Do not use this method for any secrets that you care about! The value will be visible to anyone who has access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
The only reasonable use case for using this method is when you are testing.
secret
- This parameter is required.public java.lang.Object resolve(IResolveContext context)
If the feature flag is not set, resolve as normal. Otherwise, throw a descriptive error that the usage guard is missing.
resolve
in interface IResolvable
resolve
in class Intrinsic
context
- This parameter is required.public java.lang.String unsafeUnwrap()
Call this to indicate that you want to use the secret value held by this object in an unchecked way. If you don't call this method, using the secret value directly in a string context or as a property value somewhere will produce an error.
This method has 'unsafe' in the name on purpose! Make sure that the construct property you are using the returned value in is does not end up in a place in your AWS infrastructure where it could be read by anyone unexpected.
When in doubt, don't call this method and only pass the object to constructs that
accept SecretValue
parameters.