Credentials

class aws_cdk.aws_rds.Credentials

Bases: object

Username and password combination.

ExampleMetadata:

infused

Example:

# vpc: ec2.IVpc


instance1 = rds.DatabaseInstance(self, "PostgresInstance1",
    engine=rds.DatabaseInstanceEngine.POSTGRES,
    # Generate the secret with admin username `postgres` and random password
    credentials=rds.Credentials.from_generated_secret("postgres"),
    vpc=vpc
)
# Templated secret with username and password fields
templated_secret = secretsmanager.Secret(self, "TemplatedSecret",
    generate_secret_string=secretsmanager.SecretStringGenerator(
        secret_string_template=JSON.stringify({"username": "postgres"}),
        generate_string_key="password",
        exclude_characters="/@""
    )
)
# Using the templated secret as credentials
instance2 = rds.DatabaseInstance(self, "PostgresInstance2",
    engine=rds.DatabaseInstanceEngine.POSTGRES,
    credentials={
        "username": templated_secret.secret_value_from_json("username").to_string(),
        "password": templated_secret.secret_value_from_json("password")
    },
    vpc=vpc
)

Attributes

encryption_key

KMS encryption key to encrypt the generated secret.

Default:

• default master key

exclude_characters

The characters to exclude from the generated password.

Only used if password has not been set.

Default:

• the DatabaseSecret default exclude character set (” %+~`#$&*()|[]{}:;<>?!’/@”")

password

Password.

Do not put passwords in your CDK code directly.

Default:

• a Secrets Manager generated password

replica_regions

A list of regions where to replicate the generated secret.

Default:

• Secret is not replicated

secret

Secret used to instantiate this Login.

Default:

• none

secret_name

The name to use for the Secret if a new Secret is to be generated in SecretsManager for these Credentials.

Default:

• A name is generated by CloudFormation.

username

Username.

username_as_string

Whether the username should be referenced as a string and not as a dynamic reference to the username in the secret.

Default:

false

Static Methods

classmethod from_generated_secret(username, *, encryption_key=None, exclude_characters=None, replica_regions=None, secret_name=None)

Creates Credentials with a password generated and stored in Secrets Manager.

Parameters:

• username (str)

• encryption_key (Optional[IKey]) – KMS encryption key to encrypt the generated secret. Default: - default master key

• exclude_characters (Optional[str]) – The characters to exclude from the generated password. Has no effect if password has been provided. Default: - the DatabaseSecret default exclude character set (” %+~`#$&*()|[]{}:;<>?!’/@”")

• replica_regions (Optional[Sequence[Union[ReplicaRegion, Dict[str, Any]]]]) – A list of regions where to replicate this secret. Default: - Secret is not replicated

• secret_name (Optional[str]) – The name of the secret. Default: - A name is generated by CloudFormation.

Return type:

Credentials

classmethod from_password(username, password)

Creates Credentials from a password.

Do not put passwords in your CDK code directly.

Parameters:

• username (str)

• password (SecretValue)

Return type:

Credentials

classmethod from_secret(secret, username=None)

Creates Credentials from an existing Secrets Manager Secret (or DatabaseSecret).

The Secret must be a JSON string with a username and password field:

{
  ...
  "username": <required: username>,
  "password": <required: password>,
}

Parameters:

• secret (ISecret) – The secret where the credentials are stored.

• username (Optional[str]) – The username defined in the secret. If specified the username will be referenced as a string and not a dynamic reference to the username field in the secret. This allows to replace the secret without replacing the instance or cluster.

Return type:

Credentials

classmethod from_username(username, *, password=None, encryption_key=None, exclude_characters=None, replica_regions=None, secret_name=None)

Creates Credentials for the given username, and optional password and key.

If no password is provided, one will be generated and stored in Secrets Manager.

Parameters:

• username (str)

• password (Optional[SecretValue]) – Password. Do not put passwords in your CDK code directly. Default: - a Secrets Manager generated password

• encryption_key (Optional[IKey]) – KMS encryption key to encrypt the generated secret. Default: - default master key

• exclude_characters (Optional[str]) – The characters to exclude from the generated password. Has no effect if password has been provided. Default: - the DatabaseSecret default exclude character set (” %+~`#$&*()|[]{}:;<>?!’/@”")

• replica_regions (Optional[Sequence[Union[ReplicaRegion, Dict[str, Any]]]]) – A list of regions where to replicate this secret. Default: - Secret is not replicated

• secret_name (Optional[str]) – The name of the secret. Default: - A name is generated by CloudFormation.

Return type:

Credentials