Interface ISecretProps
The properties required to create a new secret in AWS Secrets Manager.
Namespace: Amazon.CDK.AWS.SecretsManager
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public interface ISecretProps
Syntax (vb)
Public Interface ISecretProps
Remarks
ExampleMetadata: infused
Examples
Stack stack;
var user = new User(this, "User");
var accessKey = new AccessKey(this, "AccessKey", new AccessKeyProps { User = user });
new Secret(this, "Secret", new SecretProps {
SecretObjectValue = new Dictionary<string, SecretValue> {
{ "username", SecretValue.UnsafePlainText(user.UserName) },
{ "database", SecretValue.UnsafePlainText("foo") },
{ "password", accessKey.SecretAccessKey }
}
});
Synopsis
Properties
Description | An optional, human-friendly description of the secret. |
EncryptionKey | The customer-managed encryption key to use for encrypting the secret value. |
GenerateSecretString | Configuration for how to generate a secret value. |
RemovalPolicy | Policy to apply when the secret is removed from this stack. |
ReplicaRegions | A list of regions where to replicate this secret. |
SecretName | A name for the secret. |
SecretObjectValue | Initial value for a JSON secret. |
SecretStringBeta1 | (deprecated) Initial value for the secret. |
SecretStringValue | Initial value for the secret. |
Properties
Description
An optional, human-friendly description of the secret.
virtual string Description { get; }
Property Value
System.String
Remarks
Default: - No description.
EncryptionKey
The customer-managed encryption key to use for encrypting the secret value.
virtual IKey EncryptionKey { get; }
Property Value
Remarks
Default: - A default KMS key for the account and region is used.
GenerateSecretString
Configuration for how to generate a secret value.
virtual ISecretStringGenerator GenerateSecretString { get; }
Property Value
Remarks
Only one of secretString
and generateSecretString
can be provided.
Default: - 32 characters with upper-case letters, lower-case letters, punctuation and numbers (at least one from each
category), per the default values of SecretStringGenerator
.
RemovalPolicy
Policy to apply when the secret is removed from this stack.
virtual Nullable<RemovalPolicy> RemovalPolicy { get; }
Property Value
System.Nullable<RemovalPolicy>
Remarks
Default: - Not set.
ReplicaRegions
A list of regions where to replicate this secret.
virtual IReplicaRegion[] ReplicaRegions { get; }
Property Value
Remarks
Default: - Secret is not replicated
SecretName
A name for the secret.
virtual string SecretName { get; }
Property Value
System.String
Remarks
Note that deleting secrets from SecretsManager does not happen immediately, but after a 7 to 30 days blackout period. During that period, it is not possible to create another secret that shares the same name.
Default: - A name is generated by CloudFormation.
SecretObjectValue
Initial value for a JSON secret.
virtual IDictionary<string, SecretValue> SecretObjectValue { get; }
Property Value
System.Collections.Generic.IDictionary<System.String, SecretValue>
Remarks
NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret object -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Specifies a JSON object that you want to encrypt and store in this new version of the secret.
To specify a simple string value instead, use SecretProps.secretStringValue
Only one of secretStringBeta1
, secretStringValue
, 'secretObjectValue', and generateSecretString
can be provided.
Default: - SecretsManager generates a new secret value.
Examples
User user;
AccessKey accessKey;
Stack stack;
new Secret(stack, "JSONSecret", new SecretProps {
SecretObjectValue = new Dictionary<string, SecretValue> {
{ "username", SecretValue.UnsafePlainText(user.UserName) }, // intrinsic reference, not exposed as plaintext
{ "database", SecretValue.UnsafePlainText("foo") }, // rendered as plain text, but not a secret
{ "password", accessKey.SecretAccessKey }
}
});
SecretStringBeta1
(deprecated) Initial value for the secret.
virtual SecretStringValueBeta1 SecretStringBeta1 { get; }
Property Value
Remarks
NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Specifies text data that you want to encrypt and store in this new version of the secret. May be a simple string value, or a string representation of a JSON structure.
Only one of secretStringBeta1
, secretStringValue
, and generateSecretString
can be provided.
Default: - SecretsManager generates a new secret value.
Stability: Deprecated
SecretStringValue
Initial value for the secret.
virtual SecretValue SecretStringValue { get; }
Property Value
Remarks
NOTE: *It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
Specifies text data that you want to encrypt and store in this new version of the secret.
May be a simple string value. To provide a string representation of JSON structure, use SecretProps.secretObjectValue
instead.
Only one of secretStringBeta1
, secretStringValue
, 'secretObjectValue', and generateSecretString
can be provided.
Default: - SecretsManager generates a new secret value.