class Secret (construct)

Language	Type name
.NET	`Amazon.CDK.AWS.SecretsManager.Secret`
Go	`github.com/aws/aws-cdk-go/awscdk/v2/awssecretsmanager#Secret`
Java	`software.amazon.awscdk.services.secretsmanager.Secret`
Python	`aws_cdk.aws_secretsmanager.Secret`
TypeScript (source)	`aws-cdk-lib` » `aws_secretsmanager` » `Secret`

Implements IConstruct, IDependable, IResource, ISecret

Creates a new secret in AWS SecretsManager.

Example

const user = new iam.User(this, 'User');
const accessKey = new iam.AccessKey(this, 'AccessKey', { user });
declare const stack: Stack;

new secretsmanager.Secret(this, 'Secret', {
  secretObjectValue: {
    username: SecretValue.unsafePlainText(user.userName),
    database: SecretValue.unsafePlainText('foo'),
    password: accessKey.secretAccessKey,
  },
})

Initializer

new Secret(scope: Construct, id: string, props?: SecretProps)

Parameters

scope Construct
id string
props SecretProps

Construct Props

Name	Type	Description
description?	`string`	An optional, human-friendly description of the secret.
encryptionKey?	`IKey`	The customer-managed encryption key to use for encrypting the secret value.
generateSecretString?	`SecretStringGenerator`	Configuration for how to generate a secret value.
removalPolicy?	`RemovalPolicy`	Policy to apply when the secret is removed from this stack.
replicaRegions?	`ReplicaRegion[]`	A list of regions where to replicate this secret.
secretName?	`string`	A name for the secret.
secretObjectValue?	`{ [string]:` `SecretValue` `}`	Initial value for a JSON secret.
secretStringBeta1?⚠️	`SecretStringValueBeta1`	Initial value for the secret.
secretStringValue?	`SecretValue`	Initial value for the secret.

description?

Type: string (optional, default: No description.)

An optional, human-friendly description of the secret.

encryptionKey?

Type: IKey (optional, default: A default KMS key for the account and region is used.)

The customer-managed encryption key to use for encrypting the secret value.

generateSecretString?

Type: SecretStringGenerator (optional, default: 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each category), per the default values of SecretStringGenerator.)

Configuration for how to generate a secret value.

Only one of secretString and generateSecretString can be provided.

removalPolicy?

Type: RemovalPolicy (optional, default: Not set.)

Policy to apply when the secret is removed from this stack.

replicaRegions?

Type: ReplicaRegion[] (optional, default: Secret is not replicated)

A list of regions where to replicate this secret.

secretName?

Type: string (optional, default: A name is generated by CloudFormation.)

A name for the secret.

Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.

secretObjectValue?

Type: { [string]: SecretValue } (optional, default: SecretsManager generates a new secret value.)

Initial value for a JSON secret.

NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret object -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).

Specifies a JSON object that you want to encrypt and store in this new version of the secret. To specify a simple string value instead, use SecretProps.secretStringValue

Only one of secretStringBeta1, secretStringValue, 'secretObjectValue', and generateSecretString can be provided. Example

declare const user: iam.User;
declare const accessKey: iam.AccessKey;
declare const stack: Stack;
new secretsmanager.Secret(stack, 'JSONSecret', {
  secretObjectValue: {
    username: SecretValue.unsafePlainText(user.userName), // intrinsic reference, not exposed as plaintext
    database: SecretValue.unsafePlainText('foo'), // rendered as plain text, but not a secret
    password: accessKey.secretAccessKey, // SecretValue
  },
});

secretStringBeta1?⚠️

⚠️ Deprecated: Use secretStringValue instead.

Type: SecretStringValueBeta1 (optional, default: SecretsManager generates a new secret value.)

Initial value for the secret.

NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).

Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value, or a string representation of a JSON structure.

Only one of secretStringBeta1, secretStringValue, and generateSecretString can be provided.

secretStringValue?

Type: SecretValue (optional, default: SecretsManager generates a new secret value.)

Initial value for the secret.

Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value. To provide a string representation of JSON structure, use SecretProps.secretObjectValue instead.

Only one of secretStringBeta1, secretStringValue, 'secretObjectValue', and generateSecretString can be provided.

Properties

Name	Type	Description
arnForPolicies	`string`	Provides an identifier for this secret for use in IAM policies.
autoCreatePolicy	`boolean`
env	`ResourceEnvironment`	The environment this resource belongs to.
node	`Node`	The tree node.
secretArn	`string`	The ARN of the secret in AWS Secrets Manager.
secretName	`string`	The name of the secret.
secretValue	`SecretValue`	Retrieve the value of the stored secret as a `SecretValue`.
stack	`Stack`	The stack in which this resource is defined.
encryptionKey?	`IKey`	The customer-managed encryption key that is used to encrypt this secret, if any.
excludeCharacters?	`string`	The string of the characters that are excluded in this secret when it is generated.
secretFullArn?	`string`	The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

arnForPolicies

Type: string

Provides an identifier for this secret for use in IAM policies.

If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.

autoCreatePolicy

Type: boolean

env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

node

Type: Node

The tree node.

secretArn

Type: string

The ARN of the secret in AWS Secrets Manager.

Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

secretName

Type: string

The name of the secret.

For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

secretValue

Type: SecretValue

Retrieve the value of the stored secret as a SecretValue.

stack

Type: Stack

The stack in which this resource is defined.

encryptionKey?

Type: IKey (optional)

The customer-managed encryption key that is used to encrypt this secret, if any.

When not specified, the default KMS key for the account and region is being used.

excludeCharacters?

Type: string (optional)

The string of the characters that are excluded in this secret when it is generated.

secretFullArn?

Type: string (optional)

The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

Methods

Name	Description
addReplicaRegion(region, encryptionKey?)	Adds a replica region for the secret.
addRotationSchedule(id, options)	Adds a rotation schedule to the secret.
addToResourcePolicy(statement)	Adds a statement to the IAM resource policy associated with this secret.
applyRemovalPolicy(policy)	Apply the given removal policy to this resource.
attach(target)	Attach a target to this secret.
denyAccountRootDelete()	Denies the `DeleteSecret` action to all principals within the current account.
grantRead(grantee, versionStages?)	Grants reading the secret value to some role.
grantWrite(grantee)	Grants writing and updating the secret value to some role.
secretValueFromJson(jsonField)	Interpret the secret as a JSON object and return a field's value from it as a `SecretValue`.
toString()	Returns a string representation of this construct.
static fromSecretAttributes(scope, id, attrs)	Import an existing secret into the Stack.
static fromSecretCompleteArn(scope, id, secretCompleteArn)	Imports a secret by complete ARN.
static fromSecretNameV2(scope, id, secretName)	Imports a secret by secret name.
static fromSecretPartialArn(scope, id, secretPartialArn)	Imports a secret by partial ARN.
static isSecret(x)	Return whether the given object is a Secret.

addReplicaRegion(region, encryptionKey?)

public addReplicaRegion(region: string, encryptionKey?: IKey): void

Parameters

region string — The name of the region.
encryptionKey IKey — The customer-managed encryption key to use for encrypting the secret value.

Adds a replica region for the secret.

addRotationSchedule(id, options)

public addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule

Parameters

id string
options RotationScheduleOptions

Returns

RotationSchedule

Adds a rotation schedule to the secret.

addToResourcePolicy(statement)

public addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult

Parameters

statement PolicyStatement

Returns

AddToResourcePolicyResult

Adds a statement to the IAM resource policy associated with this secret.

If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.

applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

attach(target)

public attach(target: ISecretAttachmentTarget): ISecret

Parameters

target ISecretAttachmentTarget — The target to attach.

Returns

ISecret

Attach a target to this secret.

denyAccountRootDelete()

public denyAccountRootDelete(): void

Denies the DeleteSecret action to all principals within the current account.

grantRead(grantee, versionStages?)

public grantRead(grantee: IGrantable, versionStages?: string[]): Grant

Parameters

grantee IGrantable
versionStages string[]

Returns

Grant

Grants reading the secret value to some role.

grantWrite(grantee)

public grantWrite(grantee: IGrantable): Grant

Parameters

grantee IGrantable

Returns

Grant

Grants writing and updating the secret value to some role.

secretValueFromJson(jsonField)

public secretValueFromJson(jsonField: string): SecretValue

Parameters

jsonField string

Returns

SecretValue

Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

toString()

public toString(): string

Returns

string

Returns a string representation of this construct.

static fromSecretAttributes(scope, id, attrs)

public static fromSecretAttributes(scope: Construct, id: string, attrs: SecretAttributes): ISecret

Parameters

scope Construct — the scope of the import.
id string — the ID of the imported Secret in the construct tree.
attrs SecretAttributes — the attributes of the imported secret.

Returns

ISecret

Import an existing secret into the Stack.

static fromSecretCompleteArn(scope, id, secretCompleteArn)

public static fromSecretCompleteArn(scope: Construct, id: string, secretCompleteArn: string): ISecret

Parameters

scope Construct
id string
secretCompleteArn string

Returns

ISecret

Imports a secret by complete ARN.

The complete ARN is the ARN with the Secrets Manager-supplied suffix.

static fromSecretNameV2(scope, id, secretName)

public static fromSecretNameV2(scope: Construct, id: string, secretName: string): ISecret

Parameters

scope Construct
id string
secretName string

Returns

ISecret

Imports a secret by secret name.

A secret with this name must exist in the same account & region. Replaces the deprecated fromSecretName. Please note this method returns ISecret that only contains partial ARN and could lead to AccessDeniedException when you pass the partial ARN to CLI or SDK to get the secret value. If your secret name ends with a hyphen and 6 characters, you should always use fromSecretCompleteArn() to avoid potential AccessDeniedException.

static fromSecretPartialArn(scope, id, secretPartialArn)

public static fromSecretPartialArn(scope: Construct, id: string, secretPartialArn: string): ISecret

Parameters

scope Construct
id string
secretPartialArn string

Returns

ISecret

Imports a secret by partial ARN.

The partial ARN is the ARN without the Secrets Manager-supplied suffix.

static isSecret(x)

public static isSecret(x: any): boolean

Parameters

x any

Returns

boolean

Return whether the given object is a Secret.