Get a value from AWS Secrets Manager - AWS Cloud Development Kit (AWS CDK) v2

This is the AWS CDK v2 Developer Guide. The older CDK v1 entered maintenance on June 1, 2022 and ended support on June 1, 2023.

Get a value from AWS Secrets Manager

To use values from AWS Secrets Manager in your AWS CDK app, use the fromSecretAttributes() method. It represents a value that is retrieved from Secrets Manager and used at AWS CloudFormation deployment time. The following is an example:

TypeScript
import * as sm from "aws-cdk-lib/aws-secretsmanager"; export class SecretsManagerStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); const secret = sm.Secret.fromSecretAttributes(this, "ImportedSecret", { secretCompleteArn: "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>" // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: // encryptionKey: ... });
JavaScript
const sm = require("aws-cdk-lib/aws-secretsmanager"); class SecretsManagerStack extends cdk.Stack { constructor(scope, id, props) { super(scope, id, props); const secret = sm.Secret.fromSecretAttributes(this, "ImportedSecret", { secretCompleteArn: "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>" // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: // encryptionKey: ... }); } } module.exports = { SecretsManagerStack }
Python
import aws_cdk.aws_secretsmanager as sm class SecretsManagerStack(cdk.Stack): def __init__(self, scope: cdk.App, id: str, **kwargs): super().__init__(scope, name, **kwargs) secret = sm.Secret.from_secret_attributes(self, "ImportedSecret", secret_complete_arn="arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>", # If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: # encryption_key=.... )
Java
import software.amazon.awscdk.services.secretsmanager.Secret; import software.amazon.awscdk.services.secretsmanager.SecretAttributes; public class SecretsManagerStack extends Stack { public SecretsManagerStack(App scope, String id) { this(scope, id, null); } public SecretsManagerStack(App scope, String id, StackProps props) { super(scope, id, props); Secret secret = (Secret)Secret.fromSecretAttributes(this, "ImportedSecret", SecretAttributes.builder() .secretCompleteArn("arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>") // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: // .encryptionKey(...) .build()); } }
C#
using Amazon.CDK.AWS.SecretsManager; public class SecretsManagerStack : Stack { public SecretsManagerStack(App scope, string id, StackProps props) : base(scope, id, props) { var secret = Secret.FromSecretAttributes(this, "ImportedSecret", new SecretAttributes { SecretCompleteArn = "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>" // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: // encryptionKey = ..., }); }
Tip

Use the AWS CLI create-secret CLI command to create a secret from the command line, such as when testing:

aws secretsmanager create-secret --name ImportedSecret --secret-string mygroovybucket

The command returns an ARN that you can use with the preceding example.

Once you have created a Secret instance, you can get the secret's value from the instance's secretValue attribute. The value is represented by a SecretValue instance, a special type of Tokens and the AWS CDK. Because it's a token, it has meaning only after resolution. Your CDK app does not need to access its actual value. Instead, the app can pass the SecretValue instance (or its string or numeric representation) to whatever CDK method needs the value.