Class CfnRotationSchedule.HostedRotationLambdaProperty
Creates a new Lambda rotation function based on one of the Secrets Manager rotation function templates .
Inheritance
Namespace: Amazon.CDK.AWS.SecretsManager
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class HostedRotationLambdaProperty : Object, CfnRotationSchedule.IHostedRotationLambdaPropertySyntax (vb)
Public Class HostedRotationLambdaProperty
Inherits Object
Implements CfnRotationSchedule.IHostedRotationLambdaPropertyRemarks
You must specify Transform: AWS::SecretsManager-2024-09-16 at the beginning of the CloudFormation template.
For Amazon RDS master user credentials, see AWS::RDS::DBCluster MasterUserSecret .
For Amazon Redshift admin user credentials, see AWS::Redshift::Cluster .
ExampleMetadata: fixture=_generated
Examples
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
using Amazon.CDK.AWS.SecretsManager;
var hostedRotationLambdaProperty = new HostedRotationLambdaProperty {
RotationType = "rotationType",
// the properties below are optional
ExcludeCharacters = "excludeCharacters",
KmsKeyArn = "kmsKeyArn",
MasterSecretArn = "masterSecretArn",
MasterSecretKmsKeyArn = "masterSecretKmsKeyArn",
RotationLambdaName = "rotationLambdaName",
Runtime = "runtime",
SuperuserSecretArn = "superuserSecretArn",
SuperuserSecretKmsKeyArn = "superuserSecretKmsKeyArn",
VpcSecurityGroupIds = "vpcSecurityGroupIds",
VpcSubnetIds = "vpcSubnetIds"
};Synopsis
Constructors
| Hosted |
Properties
| Exclude |
A string of the characters that you don't want in the password. |
| Kms |
The ARN of the KMS key that Secrets Manager uses to encrypt the secret. |
| Master |
The ARN of the secret that contains superuser credentials, if you use the Alternating users rotation strategy . CloudFormation grants the execution role for the Lambda rotation function |
| Master |
The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key |
| Rotation |
The name of the Lambda rotation function. |
| Rotation |
The rotation template to base the rotation function on, one of the following:. |
| Runtime | Do not set this value if you are using |
| Superuser |
The ARN of the secret that contains superuser credentials, if you use the Alternating users rotation strategy . CloudFormation grants the execution role for the Lambda rotation function |
| Superuser |
The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key |
| Vpc |
A comma-separated list of security group IDs applied to the target database. |
| Vpc |
A comma separated list of VPC subnet IDs of the target database network. |
Constructors
HostedRotationLambdaProperty()
public HostedRotationLambdaProperty()Properties
ExcludeCharacters
A string of the characters that you don't want in the password.
public string ExcludeCharacters { get; set; }Property Value
System.
Remarks
KmsKeyArn
The ARN of the KMS key that Secrets Manager uses to encrypt the secret.
public string KmsKeyArn { get; set; }Property Value
System.
Remarks
If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager . If aws/secretsmanager doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.
MasterSecretArn
The ARN of the secret that contains superuser credentials, if you use the Alternating users rotation strategy . CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property. For more information, see Lambda rotation function execution role permissions for Secrets Manager .
public string MasterSecretArn { get; set; }Property Value
System.
Remarks
You must create the superuser secret before you can set this property.
You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see JSON structure of Secrets Manager secrets .
You can specify MasterSecretArn or SuperuserSecretArn but not both. They represent the same superuser secret.
MasterSecretKmsKeyArn
The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager . CloudFormation grants the execution role for the Lambda rotation function Decrypt , DescribeKey , and GenerateDataKey permission to the key in this property. For more information, see Lambda rotation function execution role permissions for Secrets Manager .
public string MasterSecretKmsKeyArn { get; set; }Property Value
System.
Remarks
You can specify MasterSecretKmsKeyArn or SuperuserSecretKmsKeyArn but not both. They represent the same superuser secret KMS key .
RotationLambdaName
The name of the Lambda rotation function.
public string RotationLambdaName { get; set; }Property Value
System.
Remarks
RotationType
The rotation template to base the rotation function on, one of the following:.
public string RotationType { get; set; }Property Value
System.
Remarks
Runtime
Do not set this value if you are using
Transform: AWS::SecretsManager-2024-09-16.
public string Runtime { get; set; }Property Value
System.
Remarks
Over time, the updated rotation lambda artifacts vended by AWS may not be compatible with the code or shared object files defined in the rotation function deployment package.
Only define the Runtime key if:
The Python Runtime version for with the rotation function. By default, CloudFormation deploys Python 3.9 binaries for the rotation function. To use a different version of Python, you must do the following two steps:
If you only do one of the steps, your rotation function will be incompatible with the binaries. For more information, see Why did my Lambda rotation function fail with a "pg module not found" error .
SuperuserSecretArn
The ARN of the secret that contains superuser credentials, if you use the Alternating users rotation strategy . CloudFormation grants the execution role for the Lambda rotation function GetSecretValue permission to the secret in this property. For more information, see Lambda rotation function execution role permissions for Secrets Manager .
public string SuperuserSecretArn { get; set; }Property Value
System.
Remarks
You must create the superuser secret before you can set this property.
You must also include the superuser secret ARN as a key in the JSON of the rotating secret so that the Lambda rotation function can find it. CloudFormation does not hardcode secret ARNs in the Lambda rotation function, so you can use the function to rotate multiple secrets. For more information, see JSON structure of Secrets Manager secrets .
You can specify MasterSecretArn or SuperuserSecretArn but not both. They represent the same superuser secret.
SuperuserSecretKmsKeyArn
The ARN of the KMS key that Secrets Manager used to encrypt the superuser secret, if you use the alternating users strategy and the superuser secret is encrypted with a customer managed key. You don't need to specify this property if the superuser secret is encrypted using the key aws/secretsmanager . CloudFormation grants the execution role for the Lambda rotation function Decrypt , DescribeKey , and GenerateDataKey permission to the key in this property. For more information, see Lambda rotation function execution role permissions for Secrets Manager .
public string SuperuserSecretKmsKeyArn { get; set; }Property Value
System.
Remarks
You can specify MasterSecretKmsKeyArn or SuperuserSecretKmsKeyArn but not both. They represent the same superuser secret KMS key .
VpcSecurityGroupIds
A comma-separated list of security group IDs applied to the target database.
public string VpcSecurityGroupIds { get; set; }Property Value
System.
Remarks
The template applies the same security groups as on the Lambda rotation function that is created as part of this stack.
VpcSubnetIds
A comma separated list of VPC subnet IDs of the target database network.
public string VpcSubnetIds { get; set; }Property Value
System.
Remarks
The Lambda rotation function is in the same subnet group.