-
Interface Summary Interface Description CfnResourcePolicyProps Properties for defining a `AWS::SecretsManager::ResourcePolicy`.CfnRotationSchedule.HostedRotationLambdaProperty CfnRotationSchedule.RotationRulesProperty CfnRotationScheduleProps Properties for defining a `AWS::SecretsManager::RotationSchedule`.CfnSecret.GenerateSecretStringProperty CfnSecret.ReplicaRegionProperty CfnSecretProps Properties for defining a `AWS::SecretsManager::Secret`.CfnSecretTargetAttachmentProps Properties for defining a `AWS::SecretsManager::SecretTargetAttachment`.ISecret (experimental) A secret in AWS Secrets Manager.ISecret.Jsii$Default Internal default implementation forISecret.ISecretAttachmentTarget (experimental) A secret attachment target.ISecretAttachmentTarget.Jsii$Default Internal default implementation forISecretAttachmentTarget.ISecretTargetAttachment ISecretTargetAttachment.Jsii$Default Internal default implementation forISecretTargetAttachment.MultiUserHostedRotationOptions (experimental) Multi user hosted rotation options.ReplicaRegion (experimental) Secret replica region.ResourcePolicyProps (experimental) Construction properties for a ResourcePolicy.RotationScheduleOptions (experimental) Options to add a rotation schedule to a secret.RotationScheduleProps (experimental) Construction properties for a RotationSchedule.SecretAttachmentTargetProps (experimental) Attachment target specifications.SecretAttributes (experimental) Attributes required to import an existing secret into the Stack.SecretProps (experimental) The properties required to create a new secret in AWS Secrets Manager.SecretRotationApplicationOptions (experimental) Options for a SecretRotationApplication.SecretRotationProps (experimental) Construction properties for a SecretRotation.SecretStringGenerator (experimental) Configuration to generate secrets such as passwords automatically.SecretTargetAttachmentProps (experimental) Construction properties for an AttachedSecret.SingleUserHostedRotationOptions (experimental) Single user hosted rotation options. -
Enum Summary Enum Description AttachmentTargetType (experimental) The type of service or database that's being associated with the secret.
Package software.amazon.awscdk.services.secretsmanager Description
AWS Secrets Manager Construct Library
---
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826 import software.amazon.awscdk.aws_secretsmanager;
Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically, you can get started with the following:
The Secret construct does not allow specifying the SecretString property
of the AWS::SecretsManager::Secret resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in AWS SecretsManager and use the Secret.fromSecretArn
or Secret.fromSecretAttributes method to make it available in your CDK Application:
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
Object secret = secretsmanager.Secret.fromSecretAttributes(scope, "ImportedSecret", Map.of(
"secretArn", "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>",
// If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
"encryptionKey", encryptionKey));
SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.
A secret can set RemovalPolicy. If it set to RETAIN, that removing a secret will fail.
Grant permission to use the secret to a role
You must grant permission to a resource for that resource to be allowed to
use a secret. This can be achieved with the Secret.grantRead and/or Secret.grantUpdate
method, depending on your need:
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826 Role role = new Role(stack, "SomeRole", new RoleProps().assumedBy(new AccountRootPrincipal())); Object secret = new Secret(stack, "Secret"); secret.grantRead(role); secret.grantWrite(role);
If, as in the following example, your secret was created with a KMS key:
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826 Object key = new Key(stack, "KMS"); Object secret = Secret.Builder.create(stack, "Secret").encryptionKey(key).build(); secret.grantRead(role); secret.grantWrite(role);
then Secret.grantRead and Secret.grantWrite will also grant the role the
relevant encrypt and decrypt permissions to the KMS key through the
SecretsManager service principal.
Rotating a Secret
Using a Custom Lambda Function
A rotation schedule can be added to a Secret using a custom Lambda function:
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
Function fn = new Function(...);
Object secret = new Secret(this, "Secret");
secret.addRotationSchedule("RotationSchedule", Map.of(
"rotationLambda", fn,
"automaticallyAfter", Duration.days(15)));
See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.
Using a Hosted Lambda Function
Use the hostedRotation prop to rotate a secret with a hosted Lambda function:
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
Object secret = new Secret(this, "Secret");
secret.addRotationSchedule("RotationSchedule", Map.of(
"hostedRotation", secretsmanager.HostedRotation.mysqlSingleUser()));
Hosted rotation is available for secrets representing credentials for MySQL, PostgreSQL, Oracle, MariaDB, SQLServer, Redshift and MongoDB (both for the single and multi user schemes).
When deployed in a VPC, the hosted rotation implements ec2.IConnectable:
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
Object myHostedRotation = secretsmanager.HostedRotation.mysqlSingleUser(Map.of("vpc", myVpc));
secret.addRotationSchedule("RotationSchedule", Map.of("hostedRotation", myHostedRotation));
dbConnections.allowDefaultPortFrom(hostedRotation);
See also Automating secret creation in AWS CloudFormation.
Rotating database credentials
Define a SecretRotation to rotate database credentials:
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
SecretRotation.Builder.create(this, "SecretRotation")
.application(secretsmanager.SecretRotationApplication.getMYSQL_ROTATION_SINGLE_USER())// MySQL single user scheme
.secret(mySecret)
.target(myDatabase)// a Connectable
.vpc(myVpc)// The VPC where the secret rotation application will be deployed
.excludeCharacters(" %+:;{}")
.build();
The secret must be a JSON string with the following format:
{
"engine": "<required: database engine>",
"host": "<required: instance host name>",
"username": "<required: username>",
"password": "<required: password>",
"dbname": "<optional: database name>",
"port": "<optional: if not specified, default port will be used>",
"masterarn": "<required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>"
}
For the multi user scheme, a masterSecret must be specified:
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
SecretRotation.Builder.create(stack, "SecretRotation")
.application(secretsmanager.SecretRotationApplication.getMYSQL_ROTATION_MULTI_USER())
.secret(myUserSecret)// The secret that will be rotated
.masterSecret(myMasterSecret)// The secret used for the rotation
.target(myDatabase)
.vpc(myVpc)
.build();
See also aws-rds where credentials generation and rotation is integrated.
Importing Secrets
Existing secrets can be imported by ARN, name, and other attributes (including the KMS key used to encrypt the secret). Secrets imported by name should use the short-form of the name (without the SecretsManager-provided suffx); the secret name must exist in the same account and region as the stack. Importing by name makes it easier to reference secrets created in different regions, each with their own suffix and ARN.
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
import software.amazon.awscdk.aws_kms;
String secretCompleteArn = "arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret-f3gDy9";
String secretPartialArn = "arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret";// No Secrets Manager suffix
IKey encryptionKey = kms.Key.fromKeyArn(stack, "MyEncKey", "arn:aws:kms:eu-west-1:111111111111:key/21c4b39b-fde2-4273-9ac0-d9bb5c0d0030");
Object mySecretFromCompleteArn = secretsmanager.Secret.fromSecretCompleteArn(stack, "SecretFromCompleteArn", secretCompleteArn);
Object mySecretFromPartialArn = secretsmanager.Secret.fromSecretPartialArn(stack, "SecretFromPartialArn", secretPartialArn);
Object mySecretFromName = secretsmanager.Secret.fromSecretNameV2(stack, "SecretFromName", "MySecret");
Object mySecretFromAttrs = secretsmanager.Secret.fromSecretAttributes(stack, "SecretFromAttributes", Map.of(
"secretCompleteArn", secretCompleteArn,
"encryptionKey", encryptionKey));
Replicating secrets
Secrets can be replicated to multiple regions by specifying replicaRegions:
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
Secret.Builder.create(this, "Secret")
.replicaRegions(asList(Map.of(
"region", "eu-west-1"), Map.of(
"region", "eu-central-1",
"encryptionKey", myKey)))
.build();
Alternatively, use addReplicaRegion():
// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
Object secret = new Secret(this, "Secret");
secret.addReplicaRegion("eu-west-1");