Get a value from AWS Secrets Manager - AWS Cloud Development Kit (CDK) v2

This is the AWS CDK v2 Developer Guide. If you're using v1, see the CDK v1 Developer Guide. CDK v1 enters maintenance on June 1, 2022.

Get a value from AWS Secrets Manager

To use values from AWS Secrets Manager in your AWS CDK app, use the fromSecretAttributes() method. It represents a value that is retrieved from Secrets Manager and used at AWS CloudFormation deployment time.

TypeScript
import * as sm from "aws-cdk-lib/aws-secretsmanager"; export class SecretsManagerStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); const secret = sm.Secret.fromSecretAttributes(this, "ImportedSecret", { secretCompleteArn: "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>" // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: // encryptionKey: ... });
JavaScript
const sm = require("aws-cdk-lib/aws-secretsmanager"); class SecretsManagerStack extends cdk.Stack { constructor(scope, id, props) { super(scope, id, props); const secret = sm.Secret.fromSecretAttributes(this, "ImportedSecret", { secretCompleteArn: "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>" // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: // encryptionKey: ... }); } } module.exports = { SecretsManagerStack }
Python
import aws_cdk.aws_secretsmanager as sm class SecretsManagerStack(cdk.Stack): def __init__(self, scope: cdk.App, id: str, **kwargs): super().__init__(scope, name, **kwargs) secret = sm.Secret.from_secret_attributes(self, "ImportedSecret", secret_complete_arn="arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>", # If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: # encryption_key=.... )
Java
import software.amazon.awscdk.services.secretsmanager.Secret; import software.amazon.awscdk.services.secretsmanager.SecretAttributes; public class SecretsManagerStack extends Stack { public SecretsManagerStack(App scope, String id) { this(scope, id, null); } public SecretsManagerStack(App scope, String id, StackProps props) { super(scope, id, props); Secret secret = (Secret)Secret.fromSecretAttributes(this, "ImportedSecret", SecretAttributes.builder() .secretCompleteArn("arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>") // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: // .encryptionKey(...) .build()); } }
C#
using Amazon.CDK.AWS.SecretsManager; public class SecretsManagerStack : Stack { public SecretsManagerStack(App scope, string id, StackProps props) : base(scope, id, props) { var secret = Secret.FromSecretAttributes(this, "ImportedSecret", new SecretAttributes { SecretCompleteArn = "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>" // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key: // encryptionKey = ..., }); }
Tip

Use the create-secret CLI command to create a secret from the command-line, such as when testing:

aws secretsmanager create-secret --name ImportedSecret --secret-string mygroovybucket

The command returns an ARN you can use with the above example.

Once you have created a Secret instance, you can get the secret's value from the instance's secretValue attribute. The value is represented by a SecretValue instance, a special type of Tokens. As it is a token, it has meaning only after resolution; your CDK app does not need to access its actual value, but can instead pass the SecretValue instance (or its string or numeric representation) to whatever CDK method needs the value.