JSPM

@aws-cdk/aws-secretsmanager

1.32.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 47501
  • Score
    100M100P100Q22771F
  • License Apache-2.0

The CDK Construct Library for AWS::SecretsManager

Package Exports

  • @aws-cdk/aws-secretsmanager
  • @aws-cdk/aws-secretsmanager/lib/secret

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@aws-cdk/aws-secretsmanager) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

AWS Secrets Manager Construct Library

Stability: Stable

const secretsmanager = require('@aws-cdk/aws-secretsmanager');

Create a new Secret in a Stack

In order to have SecretsManager generate a new secret value automatically, you can get started with the following:

example of creating a secret

The Secret construct does not allow specifying the SecretString property of the AWS::SecretsManager::Secret resource (as this will almost always lead to the secret being surfaced in plain text and possibly committed to your source control).

If you need to use a pre-existing secret, the recommended way is to manually provision the secret in AWS SecretsManager and use the Secret.fromSecretArn or Secret.fromSecretAttributes method to make it available in your CDK Application:

const secret = secretsmanager.Secret.fromSecretAttributes(scope, 'ImportedSecret', {
  secretArn: 'arn:aws:secretsmanager:<region>:<account-id-number>㊙️<secret-name>-<random-6-characters>',
  // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
  encryptionKey,
});

SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.

Rotating a Secret with a custom Lambda function

A rotation schedule can be added to a Secret using a custom Lambda function:

const fn = new lambda.Function(...);
const secret = new secretsmanager.Secret(this, 'Secret');

secret.addRotationSchedule('RotationSchedule', {
  rotationLambda: fn,
  automaticallyAfter: Duration.days(15)
});

See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.

Rotating database credentials

Define a SecretRotation to rotate database credentials:

new SecretRotation(this, 'SecretRotation', {
  application: SecretRotationApplication.MYSQL_ROTATION_SINGLE_USER, // MySQL single user scheme
  secret: mySecret,
  target: myDatabase, // a Connectable
  vpc: myVpc, // The VPC where the secret rotation application will be deployed
});

The secret must be a JSON string with the following format:

{
  "engine": "<required: database engine>",
  "host": "<required: instance host name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name>",
  "port": "<optional: if not specified, default port will be used>",
  "masterarn": "<required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>"
}

For the multi user scheme, a masterSecret must be specified:

new SecretRotation(stack, 'SecretRotation', {
  application: SecretRotationApplication.MYSQL_ROTATION_MULTI_USER,
  secret: myUserSecret, // The secret that will be rotated
  masterSecret: myMasterSecret, // The secret used for the rotation
  target: myDatabase,
  vpc: myVpc,
});

See also aws-rds where credentials generation and rotation is integrated.