AWS Secrets Manager Construct Library
This is a developer preview (public beta) module. Releases might lack important features and might have
future breaking changes.
This API is still under active development and subject to non-backward
compatible changes or removal in any future version. Use of the API is not recommended in production
environments. Experimental APIs are not subject to the Semantic Versioning model.
const secretsmanager = require('@aws-cdk/aws-secretsmanager');
Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically,
you can get started with the following:
example of creating a secret
The Secret
construct does not allow specifying the SecretString
property
of the AWS::SecretsManager::Secret
resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in AWS SecretsManager and use the Secret.import
method to make it available in your CDK Application:
const secret = Secret.import(scope, 'ImportedSecret', {
secretArn: 'arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>',
encryptionKey,
});
SecretsManager secret values can only be used in select set of properties. For the
list of properties, see the CloudFormation Dynamic References documentation.
Rotating a Secret
A rotation schedule can be added to a Secret:
const fn = new lambda.Function(...);
const secret = new secretsManager.Secret(this, 'Secret');
secret.addRotationSchedule('RotationSchedule', {
rotationLambda: fn,
automaticallyAfterDays: 15
});
See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.
For RDS credentials rotation, see aws-rds.