This is the AWS CDK v2 Developer Guide. The older CDK v1 entered maintenance on June 1,
2022 and ended support on June 1, 2023.
Get a value from AWS Secrets Manager
To use values from AWS Secrets Manager in your AWS CDK app, use the fromSecretAttributes() method. It represents a value
that is retrieved from Secrets Manager and used at AWS CloudFormation deployment time. The following is an example:
- TypeScript
-
import * as sm from "aws-cdk-lib/aws-secretsmanager";
export class SecretsManagerStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const secret = sm.Secret.fromSecretAttributes(this, "ImportedSecret", {
secretCompleteArn:
"arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>"
// If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
// encryptionKey: ...
});
- JavaScript
-
const sm = require("aws-cdk-lib/aws-secretsmanager");
class SecretsManagerStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const secret = sm.Secret.fromSecretAttributes(this, "ImportedSecret", {
secretCompleteArn:
"arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>"
// If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
// encryptionKey: ...
});
}
}
module.exports = { SecretsManagerStack }
- Python
-
import aws_cdk.aws_secretsmanager as sm
class SecretsManagerStack(cdk.Stack):
def __init__(self, scope: cdk.App, id: str, **kwargs):
super().__init__(scope, name, **kwargs)
secret = sm.Secret.from_secret_attributes(self, "ImportedSecret",
secret_complete_arn="arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>",
# If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
# encryption_key=....
)
- Java
-
import software.amazon.awscdk.services.secretsmanager.Secret;
import software.amazon.awscdk.services.secretsmanager.SecretAttributes;
public class SecretsManagerStack extends Stack {
public SecretsManagerStack(App scope, String id) {
this(scope, id, null);
}
public SecretsManagerStack(App scope, String id, StackProps props) {
super(scope, id, props);
Secret secret = (Secret)Secret.fromSecretAttributes(this, "ImportedSecret", SecretAttributes.builder()
.secretCompleteArn("arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>")
// If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
// .encryptionKey(...)
.build());
}
}
- C#
-
using Amazon.CDK.AWS.SecretsManager;
public class SecretsManagerStack : Stack
{
public SecretsManagerStack(App scope, string id, StackProps props) : base(scope, id, props) {
var secret = Secret.FromSecretAttributes(this, "ImportedSecret", new SecretAttributes {
SecretCompleteArn = "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>"
// If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
// encryptionKey = ...,
});
}
Use the AWS CLI create-secret CLI command to create a secret from the command line, such as when testing:
aws secretsmanager create-secret --name ImportedSecret --secret-string mygroovybucket
The command returns an ARN that you can use with the preceding example.
Once you have created a Secret instance, you can get the secret's value from the instance's
secretValue attribute. The value is represented by a SecretValue instance, a special type of Tokens. Because it's a token, it has meaning only after resolution. Your CDK app does not need to
access its actual value. Instead, the app can pass the SecretValue instance (or its string or numeric
representation) to whatever CDK method needs the value.
