@Generated(value="jsii-pacmak/1.63.2 (build a8a8833)", date="2022-08-09T19:16:39.301Z") public class Secret extends Resource implements ISecret
Example:
// Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret. User user = new User(this, "User"); AccessKey accessKey = AccessKey.Builder.create(this, "AccessKey").user(user).build(); SecretStringValueBeta1 secretValue = SecretStringValueBeta1.fromToken(accessKey.secretAccessKey.toString()); Secret.Builder.create(this, "Secret") .secretStringBeta1(secretValue) .build();
Modifier and Type | Class and Description |
---|---|
static class |
Secret.Builder
A fluent builder for
Secret . |
ISecret.Jsii$Default, ISecret.Jsii$Proxy
Modifier | Constructor and Description |
---|---|
protected |
Secret(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) |
protected |
Secret(software.amazon.jsii.JsiiObjectRef objRef) |
|
Secret(software.constructs.Construct scope,
java.lang.String id) |
|
Secret(software.constructs.Construct scope,
java.lang.String id,
SecretProps props) |
Modifier and Type | Method and Description |
---|---|
void |
addReplicaRegion(java.lang.String region)
Adds a replica region for the secret.
|
void |
addReplicaRegion(java.lang.String region,
IKey encryptionKey)
Adds a replica region for the secret.
|
RotationSchedule |
addRotationSchedule(java.lang.String id,
RotationScheduleOptions options)
Adds a rotation schedule to the secret.
|
SecretTargetAttachment |
addTargetAttachment(java.lang.String id,
AttachedSecretOptions options)
Deprecated.
use `attach()` instead
|
AddToResourcePolicyResult |
addToResourcePolicy(PolicyStatement statement)
Adds a statement to the IAM resource policy associated with this secret.
|
ISecret |
attach(ISecretAttachmentTarget target)
Attach a target to this secret.
|
void |
denyAccountRootDelete()
Denies the `DeleteSecret` action to all principals within the current account.
|
static ISecret |
fromSecretArn(software.constructs.Construct scope,
java.lang.String id,
java.lang.String secretArn)
Deprecated.
use `fromSecretCompleteArn` or `fromSecretPartialArn`
|
static ISecret |
fromSecretAttributes(software.constructs.Construct scope,
java.lang.String id,
SecretAttributes attrs)
Import an existing secret into the Stack.
|
static ISecret |
fromSecretCompleteArn(software.constructs.Construct scope,
java.lang.String id,
java.lang.String secretCompleteArn)
Imports a secret by complete ARN.
|
static ISecret |
fromSecretName(software.constructs.Construct scope,
java.lang.String id,
java.lang.String secretName)
Deprecated.
use `fromSecretNameV2`
|
static ISecret |
fromSecretNameV2(software.constructs.Construct scope,
java.lang.String id,
java.lang.String secretName)
Imports a secret by secret name.
|
static ISecret |
fromSecretPartialArn(software.constructs.Construct scope,
java.lang.String id,
java.lang.String secretPartialArn)
Imports a secret by partial ARN.
|
protected java.lang.String |
getArnForPolicies()
Provides an identifier for this secret for use in IAM policies.
|
protected java.lang.Boolean |
getAutoCreatePolicy() |
IKey |
getEncryptionKey()
The customer-managed encryption key that is used to encrypt this secret, if any.
|
java.lang.String |
getSecretArn()
The ARN of the secret in AWS Secrets Manager.
|
java.lang.String |
getSecretFullArn()
The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
|
java.lang.String |
getSecretName()
The name of the secret.
|
SecretValue |
getSecretValue()
Retrieve the value of the stored secret as a `SecretValue`.
|
Grant |
grantRead(IGrantable grantee)
Grants reading the secret value to some role.
|
Grant |
grantRead(IGrantable grantee,
java.util.List<java.lang.String> versionStages)
Grants reading the secret value to some role.
|
Grant |
grantWrite(IGrantable grantee)
Grants writing and updating the secret value to some role.
|
SecretValue |
secretValueFromJson(java.lang.String jsonField)
Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`.
|
protected java.util.List<java.lang.String> |
validate()
Validate the current construct.
|
applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isResource
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
applyRemovalPolicy, getEnv, getStack
getNode
protected Secret(software.amazon.jsii.JsiiObjectRef objRef)
protected Secret(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
public Secret(software.constructs.Construct scope, java.lang.String id, SecretProps props)
scope
- This parameter is required.id
- This parameter is required.props
- public Secret(software.constructs.Construct scope, java.lang.String id)
scope
- This parameter is required.id
- This parameter is required.@Deprecated public static ISecret fromSecretArn(software.constructs.Construct scope, java.lang.String id, java.lang.String secretArn)
scope
- This parameter is required.id
- This parameter is required.secretArn
- This parameter is required.public static ISecret fromSecretAttributes(software.constructs.Construct scope, java.lang.String id, SecretAttributes attrs)
scope
- the scope of the import. This parameter is required.id
- the ID of the imported Secret in the construct tree. This parameter is required.attrs
- the attributes of the imported secret. This parameter is required.public static ISecret fromSecretCompleteArn(software.constructs.Construct scope, java.lang.String id, java.lang.String secretCompleteArn)
The complete ARN is the ARN with the Secrets Manager-supplied suffix.
scope
- This parameter is required.id
- This parameter is required.secretCompleteArn
- This parameter is required.@Deprecated public static ISecret fromSecretName(software.constructs.Construct scope, java.lang.String id, java.lang.String secretName)
the ARN of the Secret will be set to the secret name. A secret with this name must exist in the same account & region.
scope
- This parameter is required.id
- This parameter is required.secretName
- This parameter is required.public static ISecret fromSecretNameV2(software.constructs.Construct scope, java.lang.String id, java.lang.String secretName)
A secret with this name must exist in the same account & region.
Replaces the deprecated fromSecretName
.
scope
- This parameter is required.id
- This parameter is required.secretName
- This parameter is required.public static ISecret fromSecretPartialArn(software.constructs.Construct scope, java.lang.String id, java.lang.String secretPartialArn)
The partial ARN is the ARN without the Secrets Manager-supplied suffix.
scope
- This parameter is required.id
- This parameter is required.secretPartialArn
- This parameter is required.public void addReplicaRegion(java.lang.String region, IKey encryptionKey)
region
- The name of the region. This parameter is required.encryptionKey
- The customer-managed encryption key to use for encrypting the secret value.public void addReplicaRegion(java.lang.String region)
region
- The name of the region. This parameter is required.public RotationSchedule addRotationSchedule(java.lang.String id, RotationScheduleOptions options)
addRotationSchedule
in interface ISecret
id
- This parameter is required.options
- This parameter is required.@Deprecated public SecretTargetAttachment addTargetAttachment(java.lang.String id, AttachedSecretOptions options)
id
- This parameter is required.options
- This parameter is required.public AddToResourcePolicyResult addToResourcePolicy(PolicyStatement statement)
If this secret was created in this stack, a resource policy will be
automatically created upon the first call to addToResourcePolicy
. If
the secret is imported, then this is a no-op.
addToResourcePolicy
in interface ISecret
statement
- This parameter is required.public ISecret attach(ISecretAttachmentTarget target)
public void denyAccountRootDelete()
denyAccountRootDelete
in interface ISecret
public Grant grantRead(IGrantable grantee, java.util.List<java.lang.String> versionStages)
public Grant grantRead(IGrantable grantee)
public Grant grantWrite(IGrantable grantee)
grantWrite
in interface ISecret
grantee
- This parameter is required.public SecretValue secretValueFromJson(java.lang.String jsonField)
secretValueFromJson
in interface ISecret
jsonField
- This parameter is required.protected java.util.List<java.lang.String> validate()
This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.
protected java.lang.String getArnForPolicies()
If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.
protected java.lang.Boolean getAutoCreatePolicy()
public java.lang.String getSecretArn()
Will return the full ARN if available, otherwise a partial arn.
For secrets imported by the deprecated fromSecretName
, it will return the secretName
.
getSecretArn
in interface ISecret
public java.lang.String getSecretName()
For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.
getSecretName
in interface ISecret
public SecretValue getSecretValue()
getSecretValue
in interface ISecret
public IKey getEncryptionKey()
When not specified, the default KMS key for the account and region is being used.
getEncryptionKey
in interface ISecret
public java.lang.String getSecretFullArn()
This is equal to secretArn
in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).
getSecretFullArn
in interface ISecret