software.amazon.awscdk.services.secretsmanager

Class Secret

java.lang.Object

software.constructs.Construct

software.amazon.awscdk.core.Construct

software.amazon.awscdk.core.Resource

software.amazon.awscdk.services.secretsmanager.Secret

All Implemented Interfaces:

IConstruct, IDependable, IResource, ISecret

Direct Known Subclasses:

DatabaseSecret, DatabaseSecret, DatabaseSecret

@Generated(value="jsii-pacmak/1.63.2 (build a8a8833)",
           date="2022-08-09T19:16:39.301Z")
public class Secret
extends Resource
implements ISecret

Creates a new secret in AWS SecretsManager.

Example:

 // Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret.
 User user = new User(this, "User");
 AccessKey accessKey = AccessKey.Builder.create(this, "AccessKey").user(user).build();
 SecretStringValueBeta1 secretValue = SecretStringValueBeta1.fromToken(accessKey.secretAccessKey.toString());
 Secret.Builder.create(this, "Secret")
         .secretStringBeta1(secretValue)
         .build();
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	Secret.Builder A fluent builder for Secret.

Nested classes/interfaces inherited from interface software.amazon.awscdk.services.secretsmanager.ISecret

ISecret.Jsii$Default, ISecret.Jsii$Proxy

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	Secret(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	Secret(software.amazon.jsii.JsiiObjectRef objRef)
	Secret(software.constructs.Construct scope, java.lang.String id)
	Secret(software.constructs.Construct scope, java.lang.String id, SecretProps props)

Method Summary

Modifier and Type	Method and Description
void	addReplicaRegion(java.lang.String region) Adds a replica region for the secret.
void	addReplicaRegion(java.lang.String region, IKey encryptionKey) Adds a replica region for the secret.
RotationSchedule	addRotationSchedule(java.lang.String id, RotationScheduleOptions options) Adds a rotation schedule to the secret.
SecretTargetAttachment	addTargetAttachment(java.lang.String id, AttachedSecretOptions options) Deprecated. use `attach()` instead
AddToResourcePolicyResult	addToResourcePolicy(PolicyStatement statement) Adds a statement to the IAM resource policy associated with this secret.
ISecret	attach(ISecretAttachmentTarget target) Attach a target to this secret.
void	denyAccountRootDelete() Denies the `DeleteSecret` action to all principals within the current account.
static ISecret	fromSecretArn(software.constructs.Construct scope, java.lang.String id, java.lang.String secretArn) Deprecated. use `fromSecretCompleteArn` or `fromSecretPartialArn`
static ISecret	fromSecretAttributes(software.constructs.Construct scope, java.lang.String id, SecretAttributes attrs) Import an existing secret into the Stack.
static ISecret	fromSecretCompleteArn(software.constructs.Construct scope, java.lang.String id, java.lang.String secretCompleteArn) Imports a secret by complete ARN.
static ISecret	fromSecretName(software.constructs.Construct scope, java.lang.String id, java.lang.String secretName) Deprecated. use `fromSecretNameV2`
static ISecret	fromSecretNameV2(software.constructs.Construct scope, java.lang.String id, java.lang.String secretName) Imports a secret by secret name.
static ISecret	fromSecretPartialArn(software.constructs.Construct scope, java.lang.String id, java.lang.String secretPartialArn) Imports a secret by partial ARN.
protected java.lang.String	getArnForPolicies() Provides an identifier for this secret for use in IAM policies.
protected java.lang.Boolean	getAutoCreatePolicy()
IKey	getEncryptionKey() The customer-managed encryption key that is used to encrypt this secret, if any.
java.lang.String	getSecretArn() The ARN of the secret in AWS Secrets Manager.
java.lang.String	getSecretFullArn() The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
java.lang.String	getSecretName() The name of the secret.
SecretValue	getSecretValue() Retrieve the value of the stored secret as a `SecretValue`.
Grant	grantRead(IGrantable grantee) Grants reading the secret value to some role.
Grant	grantRead(IGrantable grantee, java.util.List<java.lang.String> versionStages) Grants reading the secret value to some role.
Grant	grantWrite(IGrantable grantee) Grants writing and updating the secret value to some role.
SecretValue	secretValueFromJson(java.lang.String jsonField) Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`.
protected java.util.List<java.lang.String>	validate() Validate the current construct.

Methods inherited from class software.amazon.awscdk.core.Resource

applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isResource

Methods inherited from class software.amazon.awscdk.core.Construct

getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface software.amazon.awscdk.core.IResource

applyRemovalPolicy, getEnv, getStack

Methods inherited from interface software.amazon.awscdk.core.IConstruct

getNode

Constructor Detail

Secret

protected Secret(software.amazon.jsii.JsiiObjectRef objRef)

Secret

protected Secret(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

Secret

public Secret(software.constructs.Construct scope,
              java.lang.String id,
              SecretProps props)

Parameters:

scope - This parameter is required.

id - This parameter is required.

props -

Secret

public Secret(software.constructs.Construct scope,
              java.lang.String id)

Parameters:

scope - This parameter is required.

id - This parameter is required.

Method Detail

fromSecretArn

@Deprecated
public static ISecret fromSecretArn(software.constructs.Construct scope,
                                                java.lang.String id,
                                                java.lang.String secretArn)

Deprecated. use `fromSecretCompleteArn` or `fromSecretPartialArn`

Parameters:

scope - This parameter is required.

id - This parameter is required.

secretArn - This parameter is required.

fromSecretAttributes

public static ISecret fromSecretAttributes(software.constructs.Construct scope,
                                           java.lang.String id,
                                           SecretAttributes attrs)

Import an existing secret into the Stack.

Parameters:

scope - the scope of the import. This parameter is required.

id - the ID of the imported Secret in the construct tree. This parameter is required.

attrs - the attributes of the imported secret. This parameter is required.

fromSecretCompleteArn

public static ISecret fromSecretCompleteArn(software.constructs.Construct scope,
                                            java.lang.String id,
                                            java.lang.String secretCompleteArn)

Imports a secret by complete ARN.

The complete ARN is the ARN with the Secrets Manager-supplied suffix.

Parameters:

scope - This parameter is required.

id - This parameter is required.

secretCompleteArn - This parameter is required.

fromSecretName

@Deprecated
public static ISecret fromSecretName(software.constructs.Construct scope,
                                                 java.lang.String id,
                                                 java.lang.String secretName)

Deprecated. use `fromSecretNameV2`

(deprecated) Imports a secret by secret name;

the ARN of the Secret will be set to the secret name. A secret with this name must exist in the same account & region.

Parameters:

scope - This parameter is required.

id - This parameter is required.

secretName - This parameter is required.

fromSecretNameV2

public static ISecret fromSecretNameV2(software.constructs.Construct scope,
                                       java.lang.String id,
                                       java.lang.String secretName)

Imports a secret by secret name.

A secret with this name must exist in the same account & region. Replaces the deprecated fromSecretName.

Parameters:

scope - This parameter is required.

id - This parameter is required.

secretName - This parameter is required.

fromSecretPartialArn

public static ISecret fromSecretPartialArn(software.constructs.Construct scope,
                                           java.lang.String id,
                                           java.lang.String secretPartialArn)

Imports a secret by partial ARN.

The partial ARN is the ARN without the Secrets Manager-supplied suffix.

Parameters:

scope - This parameter is required.

id - This parameter is required.

secretPartialArn - This parameter is required.

addReplicaRegion

public void addReplicaRegion(java.lang.String region,
                             IKey encryptionKey)

Adds a replica region for the secret.

Parameters:

region - The name of the region. This parameter is required.

encryptionKey - The customer-managed encryption key to use for encrypting the secret value.

addReplicaRegion

public void addReplicaRegion(java.lang.String region)

Adds a replica region for the secret.

Parameters:

region - The name of the region. This parameter is required.

addRotationSchedule

public RotationSchedule addRotationSchedule(java.lang.String id,
                                            RotationScheduleOptions options)

Adds a rotation schedule to the secret.

Specified by:

addRotationSchedule in interface ISecret

Parameters:

id - This parameter is required.

options - This parameter is required.

addTargetAttachment

@Deprecated
public SecretTargetAttachment addTargetAttachment(java.lang.String id,
                                                              AttachedSecretOptions options)

Deprecated. use `attach()` instead

(deprecated) Adds a target attachment to the secret.

Parameters:

id - This parameter is required.

options - This parameter is required.

Returns:

an AttachedSecret

addToResourcePolicy

public AddToResourcePolicyResult addToResourcePolicy(PolicyStatement statement)

Adds a statement to the IAM resource policy associated with this secret.

If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.

Specified by:

addToResourcePolicy in interface ISecret

Parameters:

statement - This parameter is required.

attach

public ISecret attach(ISecretAttachmentTarget target)

Attach a target to this secret.

Specified by:

attach in interface ISecret

Parameters:

target - The target to attach. This parameter is required.

Returns:

An attached secret

denyAccountRootDelete

public void denyAccountRootDelete()

Denies the `DeleteSecret` action to all principals within the current account.

Specified by:

denyAccountRootDelete in interface ISecret

grantRead

public Grant grantRead(IGrantable grantee,
                       java.util.List<java.lang.String> versionStages)

Grants reading the secret value to some role.

Specified by:

grantRead in interface ISecret

Parameters:

grantee - This parameter is required.

versionStages -

grantRead

public Grant grantRead(IGrantable grantee)

Grants reading the secret value to some role.

Specified by:

grantRead in interface ISecret

Parameters:

grantee - This parameter is required.

grantWrite

public Grant grantWrite(IGrantable grantee)

Grants writing and updating the secret value to some role.

Specified by:

grantWrite in interface ISecret

Parameters:

grantee - This parameter is required.

secretValueFromJson

public SecretValue secretValueFromJson(java.lang.String jsonField)

Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`.

Specified by:

secretValueFromJson in interface ISecret

Parameters:

jsonField - This parameter is required.

validate

protected java.util.List<java.lang.String> validate()

Validate the current construct.

This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.

Overrides:

validate in class Construct

Returns:

An array of validation error messages, or an empty array if the construct is valid.

getArnForPolicies

protected java.lang.String getArnForPolicies()

Provides an identifier for this secret for use in IAM policies.

If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.

getAutoCreatePolicy

protected java.lang.Boolean getAutoCreatePolicy()

getSecretArn

public java.lang.String getSecretArn()

The ARN of the secret in AWS Secrets Manager.

Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

Specified by:

getSecretArn in interface ISecret

getSecretName

public java.lang.String getSecretName()

The name of the secret.

For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

Specified by:

getSecretName in interface ISecret

getSecretValue

public SecretValue getSecretValue()

Retrieve the value of the stored secret as a `SecretValue`.

Specified by:

getSecretValue in interface ISecret

getEncryptionKey

public IKey getEncryptionKey()

The customer-managed encryption key that is used to encrypt this secret, if any.

When not specified, the default KMS key for the account and region is being used.

Specified by:

getEncryptionKey in interface ISecret

getSecretFullArn

public java.lang.String getSecretFullArn()

The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

Specified by:

getSecretFullArn in interface ISecret