Class Secret

Namespace

Amazon.CDK.AWS.SecretsManager

Assembly

Amazon.CDK.AWS.SecretsManager.dll

Creates a new secret in AWS SecretsManager.

public class Secret : Resource, ISecret, IResource, IConstruct, IConstruct, IDependable

Inheritance

object

Secret

Implements

ISecret

IResource

IConstruct

IConstruct

IDependable

Examples

// Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret.
            var user = new User(this, "User");
            var accessKey = new AccessKey(this, "AccessKey", new AccessKeyProps { User = user });
            var secretValue = SecretStringValueBeta1.FromToken(accessKey.SecretAccessKey.ToString());
            new Secret(this, "Secret", new SecretProps {
                SecretStringBeta1 = secretValue
            });

Remarks

ExampleMetadata: infused

Constructors

Secret(Construct, string, ISecretProps?)

public Secret(Construct scope, string id, ISecretProps? props = null)

Parameters

scope Construct

id string

props ISecretProps

Properties

ArnForPolicies

Provides an identifier for this secret for use in IAM policies.

protected virtual string ArnForPolicies { get; }

Property Value

string

Remarks

If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.

AutoCreatePolicy

protected virtual bool AutoCreatePolicy { get; }

Property Value

bool

EncryptionKey

The customer-managed encryption key that is used to encrypt this secret, if any.

public virtual IKey? EncryptionKey { get; }

Property Value

IKey

Remarks

When not specified, the default KMS key for the account and region is being used.

SecretArn

The ARN of the secret in AWS Secrets Manager.

public virtual string SecretArn { get; }

Property Value

string

Remarks

Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

SecretFullArn

The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

public virtual string? SecretFullArn { get; }

Property Value

string

Remarks

This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

SecretName

The name of the secret.

public virtual string SecretName { get; }

Property Value

string

Remarks

For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

SecretValue

Retrieve the value of the stored secret as a SecretValue.

public virtual SecretValue SecretValue { get; }

Property Value

SecretValue

Methods

AddReplicaRegion(string, IKey?)

Adds a replica region for the secret.

public virtual void AddReplicaRegion(string region, IKey? encryptionKey = null)

Parameters

region string

The name of the region.

encryptionKey IKey

The customer-managed encryption key to use for encrypting the secret value.

AddRotationSchedule(string, IRotationScheduleOptions)

Adds a rotation schedule to the secret.

public virtual RotationSchedule AddRotationSchedule(string id, IRotationScheduleOptions options)

Parameters

id string

options IRotationScheduleOptions

Returns

RotationSchedule

AddTargetAttachment(string, IAttachedSecretOptions)

(deprecated) Adds a target attachment to the secret.

[Obsolete("use `attach()` instead")]
public virtual SecretTargetAttachment AddTargetAttachment(string id, IAttachedSecretOptions options)

Parameters

id string

options IAttachedSecretOptions

Returns

SecretTargetAttachment

an AttachedSecret

Remarks

Stability: Deprecated

AddToResourcePolicy(PolicyStatement)

Adds a statement to the IAM resource policy associated with this secret.

public virtual IAddToResourcePolicyResult AddToResourcePolicy(PolicyStatement statement)

Parameters

statement PolicyStatement

Returns

IAddToResourcePolicyResult

Remarks

If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.

Attach(ISecretAttachmentTarget)

Attach a target to this secret.

public virtual ISecret Attach(ISecretAttachmentTarget target)

Parameters

target ISecretAttachmentTarget

The target to attach.

Returns

ISecret

An attached secret

DenyAccountRootDelete()

Denies the DeleteSecret action to all principals within the current account.

public virtual void DenyAccountRootDelete()

FromSecretArn(Construct, string, string)

[Obsolete("use `fromSecretCompleteArn` or `fromSecretPartialArn`")]
public static ISecret FromSecretArn(Construct scope, string id, string secretArn)

Parameters

scope Construct

id string

secretArn string

Returns

ISecret

Remarks

Stability: Deprecated

FromSecretAttributes(Construct, string, ISecretAttributes)

Import an existing secret into the Stack.

public static ISecret FromSecretAttributes(Construct scope, string id, ISecretAttributes attrs)

Parameters

scope Construct

the scope of the import.

id string

the ID of the imported Secret in the construct tree.

attrs ISecretAttributes

the attributes of the imported secret.

Returns

ISecret

FromSecretCompleteArn(Construct, string, string)

Imports a secret by complete ARN.

public static ISecret FromSecretCompleteArn(Construct scope, string id, string secretCompleteArn)

Parameters

scope Construct

id string

secretCompleteArn string

Returns

ISecret

Remarks

The complete ARN is the ARN with the Secrets Manager-supplied suffix.

FromSecretName(Construct, string, string)

(deprecated) Imports a secret by secret name;

[Obsolete("use `fromSecretNameV2`")]
public static ISecret FromSecretName(Construct scope, string id, string secretName)

Parameters

scope Construct

id string

secretName string

Returns

ISecret

Remarks

the ARN of the Secret will be set to the secret name. A secret with this name must exist in the same account & region.

Stability: Deprecated

FromSecretNameV2(Construct, string, string)

Imports a secret by secret name.

public static ISecret FromSecretNameV2(Construct scope, string id, string secretName)

Parameters

scope Construct

id string

secretName string

Returns

ISecret

Remarks

A secret with this name must exist in the same account & region. Replaces the deprecated fromSecretName.

FromSecretPartialArn(Construct, string, string)

Imports a secret by partial ARN.

public static ISecret FromSecretPartialArn(Construct scope, string id, string secretPartialArn)

Parameters

scope Construct

id string

secretPartialArn string

Returns

ISecret

Remarks

The partial ARN is the ARN without the Secrets Manager-supplied suffix.

GrantRead(IGrantable, string[]?)

Grants reading the secret value to some role.

public virtual Grant GrantRead(IGrantable grantee, string[]? versionStages = null)

Parameters

grantee IGrantable

versionStages string[]

Returns

Grant

GrantWrite(IGrantable)

Grants writing and updating the secret value to some role.

public virtual Grant GrantWrite(IGrantable grantee)

Parameters

grantee IGrantable

Returns

Grant

SecretValueFromJson(string)

Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

public virtual SecretValue SecretValueFromJson(string jsonField)

Parameters

jsonField string

Returns

SecretValue

Validate()

Validate the current construct.

protected override string[] Validate()

Returns

string[]

Remarks

This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.