Class Secret
Creates a new secret in AWS SecretsManager.
Inherited Members
Namespace: Amazon.CDK.AWS.SecretsManager
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class Secret : Resource, ISecret, IResource, IConstruct, IDependableSyntax (vb)
Public Class Secret Inherits Resource Implements ISecret, IResource, IConstruct, IDependableRemarks
ExampleMetadata: infused
Examples
Stack stack;
var user = new User(this, "User");
var accessKey = new AccessKey(this, "AccessKey", new AccessKeyProps { User = user });
new Secret(this, "Secret", new SecretProps {
SecretObjectValue = new Dictionary<string, SecretValue> {
{ "username", SecretValue.UnsafePlainText(user.UserName) },
{ "database", SecretValue.UnsafePlainText("foo") },
{ "password", accessKey.SecretAccessKey }
}
});Synopsis
Constructors
| Secret(Construct, string, ISecretProps?) | Creates a new secret in AWS SecretsManager. |
Properties
| ArnForPolicies | Provides an identifier for this secret for use in IAM policies. |
| AutoCreatePolicy | Creates a new secret in AWS SecretsManager. |
| EncryptionKey | The customer-managed encryption key that is used to encrypt this secret, if any. |
| ExcludeCharacters | The string of the characters that are excluded in this secret when it is generated. |
| PROPERTY_INJECTION_ID | Uniquely identifies this class. |
| SecretArn | The ARN of the secret in AWS Secrets Manager. |
| SecretFullArn | The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix. |
| SecretName | The name of the secret. |
| SecretValue | Retrieve the value of the stored secret as a |
Methods
| AddReplicaRegion(string, IKey?) | Adds a replica region for the secret. |
| AddRotationSchedule(string, IRotationScheduleOptions) | Adds a rotation schedule to the secret. |
| AddToResourcePolicy(PolicyStatement) | Adds a statement to the IAM resource policy associated with this secret. |
| Attach(ISecretAttachmentTarget) | Attach a target to this secret. |
| DenyAccountRootDelete() | Denies the |
| FromSecretAttributes(Construct, string, ISecretAttributes) | Import an existing secret into the Stack. |
| FromSecretCompleteArn(Construct, string, string) | Imports a secret by complete ARN. |
| FromSecretNameV2(Construct, string, string) | Imports a secret by secret name. |
| FromSecretPartialArn(Construct, string, string) | Imports a secret by partial ARN. |
| GrantRead(IGrantable, string[]?) | Grants reading the secret value to some role. |
| GrantWrite(IGrantable) | Grants writing and updating the secret value to some role. |
| IsSecret(object) | Return whether the given object is a Secret. |
| SecretValueFromJson(string) | Interpret the secret as a JSON object and return a field's value from it as a |
Constructors
Secret(Construct, string, ISecretProps?)
Creates a new secret in AWS SecretsManager.
public Secret(Construct scope, string id, ISecretProps? props = null)Parameters
- scope Construct
- id string
- props ISecretProps
Remarks
ExampleMetadata: infused
Examples
Stack stack;
var user = new User(this, "User");
var accessKey = new AccessKey(this, "AccessKey", new AccessKeyProps { User = user });
new Secret(this, "Secret", new SecretProps {
SecretObjectValue = new Dictionary<string, SecretValue> {
{ "username", SecretValue.UnsafePlainText(user.UserName) },
{ "database", SecretValue.UnsafePlainText("foo") },
{ "password", accessKey.SecretAccessKey }
}
});Properties
ArnForPolicies
Provides an identifier for this secret for use in IAM policies.
protected virtual string ArnForPolicies { get; }Property Value
Remarks
If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.
AutoCreatePolicy
Creates a new secret in AWS SecretsManager.
protected virtual bool AutoCreatePolicy { get; }Property Value
Remarks
ExampleMetadata: infused
Examples
Stack stack;
var user = new User(this, "User");
var accessKey = new AccessKey(this, "AccessKey", new AccessKeyProps { User = user });
new Secret(this, "Secret", new SecretProps {
SecretObjectValue = new Dictionary<string, SecretValue> {
{ "username", SecretValue.UnsafePlainText(user.UserName) },
{ "database", SecretValue.UnsafePlainText("foo") },
{ "password", accessKey.SecretAccessKey }
}
});EncryptionKey
The customer-managed encryption key that is used to encrypt this secret, if any.
public virtual IKey? EncryptionKey { get; }Property Value
Remarks
When not specified, the default KMS key for the account and region is being used.
ExcludeCharacters
The string of the characters that are excluded in this secret when it is generated.
public virtual string? ExcludeCharacters { get; }Property Value
Remarks
ExampleMetadata: infused
PROPERTY_INJECTION_ID
Uniquely identifies this class.
public static string PROPERTY_INJECTION_ID { get; }Property Value
Remarks
ExampleMetadata: infused
SecretArn
The ARN of the secret in AWS Secrets Manager.
public virtual string SecretArn { get; }Property Value
Remarks
Will return the full ARN if available, otherwise a partial arn.
For secrets imported by the deprecated fromSecretName, it will return the secretName.
SecretFullArn
The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.
public virtual string? SecretFullArn { get; }Property Value
Remarks
This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).
SecretName
The name of the secret.
public virtual string SecretName { get; }Property Value
Remarks
For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.
SecretValue
Retrieve the value of the stored secret as a SecretValue.
public virtual SecretValue SecretValue { get; }Property Value
Remarks
ExampleMetadata: infused
Methods
AddReplicaRegion(string, IKey?)
Adds a replica region for the secret.
public virtual void AddReplicaRegion(string region, IKey? encryptionKey = null)Parameters
- region string
The name of the region.
- encryptionKey IKey
The customer-managed encryption key to use for encrypting the secret value.
Remarks
ExampleMetadata: infused
AddRotationSchedule(string, IRotationScheduleOptions)
Adds a rotation schedule to the secret.
public virtual RotationSchedule AddRotationSchedule(string id, IRotationScheduleOptions options)Parameters
- id string
- options IRotationScheduleOptions
Returns
Remarks
ExampleMetadata: infused
AddToResourcePolicy(PolicyStatement)
Adds a statement to the IAM resource policy associated with this secret.
public virtual IAddToResourcePolicyResult AddToResourcePolicy(PolicyStatement statement)Parameters
- statement PolicyStatement
Returns
Remarks
If this secret was created in this stack, a resource policy will be
automatically created upon the first call to addToResourcePolicy. If
the secret is imported, then this is a no-op.
Attach(ISecretAttachmentTarget)
Attach a target to this secret.
public virtual ISecret Attach(ISecretAttachmentTarget target)Parameters
- target ISecretAttachmentTarget
The target to attach.
Returns
An attached secret
Remarks
ExampleMetadata: infused
DenyAccountRootDelete()
Denies the DeleteSecret action to all principals within the current account.
public virtual void DenyAccountRootDelete()Remarks
ExampleMetadata: infused
FromSecretAttributes(Construct, string, ISecretAttributes)
Import an existing secret into the Stack.
public static ISecret FromSecretAttributes(Construct scope, string id, ISecretAttributes attrs)Parameters
- scope Construct
the scope of the import.
- id string
the ID of the imported Secret in the construct tree.
- attrs ISecretAttributes
the attributes of the imported secret.
Returns
Remarks
ExampleMetadata: infused
FromSecretCompleteArn(Construct, string, string)
Imports a secret by complete ARN.
public static ISecret FromSecretCompleteArn(Construct scope, string id, string secretCompleteArn)Parameters
Returns
Remarks
The complete ARN is the ARN with the Secrets Manager-supplied suffix.
FromSecretNameV2(Construct, string, string)
Imports a secret by secret name.
public static ISecret FromSecretNameV2(Construct scope, string id, string secretName)Parameters
Returns
Remarks
A secret with this name must exist in the same account & region.
Replaces the deprecated fromSecretName.
Please note this method returns ISecret that only contains partial ARN and could lead to AccessDeniedException
when you pass the partial ARN to CLI or SDK to get the secret value. If your secret name ends with a hyphen and
6 characters, you should always use fromSecretCompleteArn() to avoid potential AccessDeniedException.
See: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
FromSecretPartialArn(Construct, string, string)
Imports a secret by partial ARN.
public static ISecret FromSecretPartialArn(Construct scope, string id, string secretPartialArn)Parameters
Returns
Remarks
The partial ARN is the ARN without the Secrets Manager-supplied suffix.
GrantRead(IGrantable, string[]?)
Grants reading the secret value to some role.
public virtual Grant GrantRead(IGrantable grantee, string[]? versionStages = null)Parameters
- grantee IGrantable
- versionStages string[]
Returns
Remarks
ExampleMetadata: infused
GrantWrite(IGrantable)
Grants writing and updating the secret value to some role.
public virtual Grant GrantWrite(IGrantable grantee)Parameters
- grantee IGrantable
Returns
Remarks
ExampleMetadata: infused
IsSecret(object)
Return whether the given object is a Secret.
public static bool IsSecret(object x)Parameters
- x object
Returns
Remarks
ExampleMetadata: infused
SecretValueFromJson(string)
Interpret the secret as a JSON object and return a field's value from it as a SecretValue.
public virtual SecretValue SecretValueFromJson(string jsonField)Parameters
- jsonField string
Returns
Remarks
ExampleMetadata: infused