@aws-cdk/aws-secretsmanager

AWS Secrets Manager Construct Library

---

This is a developer preview (public beta) module. Releases might lack important features and might have future breaking changes.

This API is still under active development and subject to non-backward compatible changes or removal in any future version. Use of the API is not recommended in production environments. Experimental APIs are not subject to the Semantic Versioning model.

---

const secretsmanager = require('@aws-cdk/aws-secretsmanager');

Create a new Secret in a Stack

In order to have SecretsManager generate a new secret value automatically, you can get started with the following:

example of creating a secret

The Secret construct does not allow specifying the SecretString property of the AWS::SecretsManager::Secret resource (as this will almost always lead to the secret being surfaced in plain text and possibly committed to your source control).

If you need to use a pre-existing secret, the recommended way is to manually provision the secret in AWS SecretsManager and use the Secret.import method to make it available in your CDK Application:

const secret = Secret.import(scope, 'ImportedSecret', {
  secretArn: 'arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>',
  // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
  encryptionKey,
});

SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.

Rotating a Secret

A rotation schedule can be added to a Secret:

const fn = new lambda.Function(...);
const secret = new secretsManager.Secret(this, 'Secret');

secret.addRotationSchedule('RotationSchedule', {
  rotationLambda: fn,
  automaticallyAfterDays: 15
});

See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.

For RDS credentials rotation, see aws-rds.

Changelog

0.35.0 (2019-06-19)

Bug Fixes

• cli: Move version check TTL file to home directory (#2774) (1ae11c0)
• cli: correctly pass Stack-level Tags (#2829) (e0718ef), closes #2822
• cli: Hide @types/yargs types from types (#2907) (095d8e2), closes #2895
• cloudformation-diff: string.replace error on cdk context (#2870) (b8a1c8e), closes #2854
• codebuild: API cleanup. (#2745) (c3667d7)
• codebuild: correctly handle permissions for Projects inside VPC. (#2662) (390baf1), closes #2651 #2652
• core: make IResolvable.creationStack required (#2912) (7c6ebb6)
• core: use default account/region when environment is not specified (#2867) (e9a4a79), closes #2728 #2853 #2866
• ecs: downscope permissions required by instance draining hook (#2761) (9ea6148)
• ecs-patterns: update constructs for ECS/Fargate consistency (#2795) (1378e2d)
• events-targets: event targets can have the same construct id (#2744) (210dd0f), closes #2377
• iam: support adding permissions to imported roles (#2805) (936464f), closes #2381 #2651 #2652 #2662
• cli: Correct java init template (#2889) (b3b3ba9)
• rds: allow setting backupRetentionPeriod=0 (#2875) (b0730dd)
• rds: fix unresolved endpoint socket address (#2846) (902636a), closes #2711
• sqs: remove 'Batch' permissions (#2806) (654cb37), closes #2381

Code Refactoring

• apigateway: API cleanups (#2903) (53e1191)
• assets: API cleanups (#2910) (83eee09)
• codebuild: introduce BuildSpec object (#2820) (86a2192)
• codepipeline: rename name in StageProps to stageName. (#2882) (be574a1)
• core: revisit the Stack API (#2818) (47afdc2), closes #2728
• dynamodb: API cleanups (#2905) (d229836)
• ecs: Asset ContainerImage no longer takes Construct arguments (#2906) (8f400e7)
• ecs: rename hwType to hardwareType (#2916) (1aa0589), closes #2896
• lambda: renamed the lambda.Runtime enum values from NodeJS to Nodejs (#2815) (10c37dd), closes #980
• lambda: Standardize Lambda API (#2876) (6446b78)
• logs: API cleanups (#2909) (06221ac)
• secretsmanager: API cleanups (#2908) (60f46c8)
• ssm: API cleanups (#2904) (bd1bcf5)
• clean up API for removal policy across the library (#2893) (65014ab)
• sns: move subscribers to aws-sns-subscribers (#2804) (9ef899c)
• events: clean up Events APIs (#2840) (1e23921), closes #2840
• iam: cleanup of IAM library (#2823) (b735d1c), closes #2823

Features

• cli: Expose props in CFN resources and remove propertyOverrides (#2372) (#2372) (aa61dfb), closes #2100
• cli: deploy/destory require explicit stack selection if app contains more than a single stack (#2772) (118a716), closes #2731
• cli: Remove stack rename support (#2819) (0f30e39), closes #2670
• cloudformation: add option to restrict data returned AwsCustomResource (#2859) (a691900), closes #2825
• cloudformation: Add removalPolicy on CustomResource (#2770) (859248a)
• cloudfront: add Lambda associations (#2760) (b088c8c)
• codepipeline: final form of the CodeBuild Pipeline action. (#2716) (c10fc9a)
• core: show token creation stack trace upon resolve error (#2886) (f4c8dcd)
• ecs: add metrics for Fargate services (#2798) (acf015d)
• ecs-patterns: LoadBalancedFargateService - allow specifying containerName and role (#2764) (df12197)
• elasticloadbalancing: add crossZone load balancing (#2787) (192bab7), closes #2786
• lambda: Expose $LATEST function version (#2792) (55d1bc8), closes #2776
• s3: add CORS Property to S3 Bucket (#2101) (#2843) (1a386d8)
• s3: add missing storage classes and API cleanups (#2834) (5cd9609), closes #2708
• stepfunctions: add grantStartExecution() (#2793) (da32176)
• stepfunctions: add support for AmazonSageMaker APIs (#2808) (8b1f3ed), closes #1314
• stepfunctions: waitForTaskToken for Lambda, SQS, SNS (#2686) (d017a14), closes #2658 #2735
• formalize the concept of physical names, and use them for cross-environment CodePipelines. (#1924) (6daaca8)

BREAKING CHANGES TO EXPERIMENTAL FEATURES

• assets: AssetProps.packaging has been removed and is now automatically discovered based on the file type.
• assets: ZipDirectoryAsset has been removed, use aws-s3-assets.Asset.
• assets: FileAsset has been removed, use aws-s3-assets.Asset.
• lambda: Code.directory and Code.file have been removed. Use Code.asset.
• assets-docker: The module has been renamed to aws-ecr-assets
• ecs: the property that specifies the type of EC2 AMI optimized for ECS was renamed to hardwareType from hwType.
• codebuild: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed.
• dynamodb: TableOptions.pitrEnabled renamed to pointInTimeRecovery.
• dynamodb: TableOptions.sseEnabled renamed to serverSideEncryption.
• dynamodb: TableOptions.ttlAttributeName renamed to timeToLiveAttribute.
• dynamodb: TableOptions.streamSpecification renamed stream.
• ecs: ContainerImage.fromAsset() now takes only build directory directly (no need to pass scope or id anymore).
• secretsmanager: ISecret.secretJsonValue renamed to secretValueFromJson.
• ssm: ParameterStoreString has been removed. Use StringParameter.fromStringParameterAttributes.
• ssm: ParameterStoreSecureString has been removed. Use StringParameter.fromSecureStringParameterAttributes.
• ssm: ParameterOptions.name was renamed to parameterName.
• logs: newStream renamed to addStream and doesn't need a scope
• logs: newSubscriptionFilter renamed to addSubscriptionFilter and doesn't need a scope
• logs: newMetricFilter renamed to addMetricFilter and doesn't need a scope
• logs: NewSubscriptionFilterProps renamed to SubscriptionProps
• logs: NewLogStreamProps renamed to LogStreamOptions
• logs: NewMetricFilterProps renamed to MetricFilterOptions
• logs: JSONPattern renamed to JsonPattern
• apigateway: MethodOptions.authorizerId is now called authorizer and accepts an IAuthorizer which is a placeholder interface for the authorizer resource.
• apigateway: restapi.executeApiArn renamed to arnForExecuteApi.
• apigateway: restapi.latestDeployment and deploymentStage are now read-only.
• events: EventPattern.detail is now a map.
• events: scheduleExpression: string is now schedule: Schedule.
• multiple modules have been changed to use cdk.RemovalPolicy to configure the resource's removal policy.
• core: applyRemovalPolicy is now CfnResource.applyRemovalPolicy.
• core: RemovalPolicy.Orphan has been renamed to Retain.
• core: RemovalPolicy.Forbid has been removed, use Retain.
• ecr: RepositoryProps.retain is now removalPolicy, and defaults to Retain instead of remove since ECR is a stateful resource
• kms: KeyProps.retain is now removalPolicy
• logs: LogGroupProps.retainLogGroup is now removalPolicy
• logs: LogStreamProps.retainLogStream is now removalPolicy
• rds: DatabaseClusterProps.deleteReplacePolicy is now removalPolicy
• rds: DatabaseInstanceNewProps.deleteReplacePolicy is now removalPolicy
• codebuild: rename BuildSource to Source, S3BucketSource to S3Source, BuildArtifacts to Artifacts, S3BucketBuildArtifacts to S3Artifacts
• codebuild: the classes CodePipelineBuildSource, CodePipelineBuildArtifacts, NoBuildSource, and NoBuildArtifacts have been removed
• codebuild: rename buildScriptAsset and buildScriptAssetEntrypoint to buildScript and buildScriptEntrypoint, respectively
• cli: All L1 ("Cfn") Resources attributes are now prefixed with attr instead of the resource type. For example, in S3 bucket.bucketArn is now bucket.attrArn.
• propertyOverrides has been removed from all "Cfn" resources, instead users can now read/write resource properties directly on the resource class. For example, instead of lambda.propertyOverrides.runtime just use lambda.runtime.
• codepipeline: the property designating the name of the stage when creating a CodePipeline is now called stageName instead of name
• codepipeline: the output and extraOutputs properties of the CodeBuildAction were merged into one property, outputs.
• lambda:
  • Renamed Function.addLayer to addLayers and made it variadic
  • Removed IFunction.handler property
  • Removed IVersion.versionArn property (the value is at functionArn)
  • Removed SingletonLayerVersion
  • Stopped exporting LogRetention
• cli: if an app includes more than one stack "cdk deploy" and "cdk destroy" now require that an explicit selector will be passed. Use "cdk deploy '*'" if you want to select all stacks.
• iam: PolicyStatement no longer has a fluid API, and accepts a props object to be able to set the important fields.
• iam: rename ImportedResourcePrincipal to UnknownPrincipal.
• iam: managedPolicyArns renamed to managedPolicies, takes return value from ManagedPolicy.fromAwsManagedPolicyName().
• iam: PolicyDocument.postProcess() is now removed.
• iam: PolicyDocument.addStatement() renamed to addStatements.
• iam: PolicyStatement is no longer IResolvable, call .toStatementJson() to retrieve the IAM policy statement JSON.
• iam: AwsPrincipal has been removed, use ArnPrincipal instead.
• s3: s3.StorageClass is now an enum-like class instead of a regular enum. This means that you need to call .value in order to obtain it's value.
• s3: s3.Coordinates renamed to s3.Location
• codepipeline: Artifact.s3Coordinates renamed to Artifact.s3Location.
• codebuild: buildSpec argument is now a BuildSpec object.
• lambda: lambda.Runtime.NodeJS* are now lambda.Runtime.Nodejs*
• core: multiple changes to the Stack API
• core: stack.name renamed to stack.stackName
• core: stack.stackName will return the concrete stack name. Use Aws.stackName to indicate { Ref: "AWS::StackName" }.
• core: stack.account and stack.region will return the concrete account/region only if they are explicitly specified when the stack is defined (under the env prop). Otherwise, they will return a token that resolves to the AWS::AccountId and AWS::Region intrinsic references. Use Context.getDefaultAccount() and Context.getDefaultRegion() to obtain the defaults passed through the toolkit in case those are needed. Use Token.isUnresolved(v) to check if you have a concrete or intrinsic.
• core: stack.logicalId has been removed. Use stack.getLogicalId()
• core: stack.env has been removed, use stack.account, stack.region and stack.environment instead
• core: stack.accountId renamed to stack.account (to allow treating account more abstractly)
• core: AvailabilityZoneProvider can now be accessed through Context.getAvailabilityZones()
• core: SSMParameterProvider can now be accessed through Context.getSsmParameter()
• core: parseArn is now Arn.parse
• core: arnFromComponents is now arn.format
• core: node.lock and node.unlock are now private
• core: stack.requireRegion and requireAccountId have been removed. Use Token.unresolved(stack.region) instead
• core: stack.parentApp have been removed. Use App.isApp(stack.node.root) instead.
• core: stack.missingContext is now private
• core: stack.renameLogical have been renamed to stack.renameLogicalId
• core: IAddressingScheme, HashedAddressingScheme and LogicalIDs are now internal. Override Stack.allocateLogicalId to customize how logical IDs are allocated to resources.
• cli: The CLI no longer accepts --rename, and the stack names are now immutable on the stack artifact.
• sns: using a queue, lambda, email, URL as SNS Subscriber now requires an integration object from the @aws-cdk/aws-sns-subscribers package.
• ecs-patterns: Renamed QueueWorkerService for base, ec2 and fargate to QueueProcessingService, QueueProcessingEc2Service, and QueueProcessingFargateService.
• iam: roleName in RoleProps is now of type PhysicalName
• s3: bucketName in BucketProps is now of type PhysicalName
• codebuild: roleName in RoleProps is now of type PhysicalName