Secret

class aws_cdk.aws_ecs.Secret

Bases: object

A secret environment variable.

ExampleMetadata:

infused

Example:

# secret: secretsmanager.Secret
# db_secret: secretsmanager.Secret
# parameter: ssm.StringParameter
# task_definition: ecs.TaskDefinition
# s3_bucket: s3.Bucket


new_container = task_definition.add_container("container",
    image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"),
    memory_limit_mi_b=1024,
    environment={ # clear text, not for sensitive data
        "STAGE": "prod"},
    environment_files=[ # list of environment files hosted either on local disk or S3
        ecs.EnvironmentFile.from_asset("./demo-env-file.env"),
        ecs.EnvironmentFile.from_bucket(s3_bucket, "assets/demo-env-file.env")],
    secrets={ # Retrieved from AWS Secrets Manager or AWS Systems Manager Parameter Store at container start-up.
        "SECRET": ecs.Secret.from_secrets_manager(secret),
        "DB_PASSWORD": ecs.Secret.from_secrets_manager(db_secret, "password"),  # Reference a specific JSON field, (requires platform version 1.4.0 or later for Fargate tasks)
        "API_KEY": ecs.Secret.from_secrets_manager_version(secret, ecs.SecretVersionInfo(version_id="12345"), "apiKey"),  # Reference a specific version of the secret by its version id or version stage (requires platform version 1.4.0 or later for Fargate tasks)
        "PARAMETER": ecs.Secret.from_ssm_parameter(parameter)}
)
new_container.add_environment("QUEUE_NAME", "MyQueue")

Methods

abstract grant_read(grantee)

Grants reading the secret to a principal.

Parameters:

grantee (IGrantable)

Return type:

Grant

Attributes

arn

The ARN of the secret.

has_field

Whether this secret uses a specific JSON field.

Static Methods

classmethod from_secrets_manager(secret, field=None)

Creates a environment variable value from a secret stored in AWS Secrets Manager.

Parameters:
  • secret (ISecret) – the secret stored in AWS Secrets Manager.

  • field (Optional[str]) – the name of the field with the value that you want to set as the environment variable value. Only values in JSON format are supported. If you do not specify a JSON field, then the full content of the secret is used.

Return type:

Secret

classmethod from_secrets_manager_version(secret, version_info, field=None)

Creates a environment variable value from a secret stored in AWS Secrets Manager.

Parameters:
  • secret (ISecret) – the secret stored in AWS Secrets Manager.

  • version_info (Union[SecretVersionInfo, Dict[str, Any]]) – the version information to reference the secret.

  • field (Optional[str]) – the name of the field with the value that you want to set as the environment variable value. Only values in JSON format are supported. If you do not specify a JSON field, then the full content of the secret is used.

Return type:

Secret

classmethod from_ssm_parameter(parameter)

Creates an environment variable value from a parameter stored in AWS Systems Manager Parameter Store.

Parameters:

parameter (IParameter)

Return type:

Secret