aws-ec2: KINESIS_FIREHOSE vpc endpoint (#10682) (08ae745), closes #10611
cfnspec: cloudformation spec v18.6.0 (#10762) (6078cab)
cloudfront-origins: customize origin access identity in s3origin (#10491) (dbb7e34), closes #9859
core: pass environment variables to CustomResourceProvider (#10560) (320ec72), closes #9668
efs: add support for backup policy (#10524) (41f6de2), closes #10414
eks: Support cdk8s charts (#10562) (e51921d)
rds: add clusterArn property to IServerlessCluster (#10741) (1559fe9), closes #10736
readme: deprecate Gitter in favor of cdk.dev Slack (#10700) (c60764e)

Bug Fixes

cli: 'stack already contains Metadata resource' warning (#10695) (e0b5508), closes #10625
cli: deploying a transformed template without changes fails (#10689) (d345919), closes #10650
cloudfront-origins: S3Origins with cross-stack buckets cause cyclic references (#10696) (0ec4588), closes #10399
codepipeline-actions: correctly name the triggering Event in CodeCommitSourceAction (#10706) (ff3a692), closes #10665
core: cannot override properties with . in the name (#10441) (063798b), closes #10109
core: Stacks from 3rd-party libraries do not synthesize correctly (#10690) (7bb5cf4), closes #10671
ec2: addExecuteFileCommand arguments cannot be omitted (#10692) (7178374), closes #10687
ec2: InitCommand.shellCommand() renders an argv command instead (#10691) (de9d2f7), closes #10684
ec2: memory optimised graviton2 instance type (#10615) (a72cfbd)
elbv2: metric(Un)HealthyHostCount don't use TargetGroup dimension (#10697) (9444399), closes #5046
glue: GetTableVersion permission not available for read (#10628) (b0c5699), closes #10577
glue: incorrect s3 prefix used for grant* in Table (#10627) (4d20079), closes #10582
pipelines: cannot use constructs in build environment (#10654) (bf2c629), closes #10535
pipelines: pipeline doesn't restart if CLI version changes (#10727) (0297f31), closes #10659
rds: secret for ServerlessCluster is not accessible programmatically (#10657) (028495e)
redshift: Allow redshift cluster securityGroupName to be generated (#10742) (effed09), closes #10740
stepfunctions: X-Ray policy does not match documentation (#10721) (8006459)

Readme

Source

AWS Secrets Manager Construct Library

import * as secretsmanager from '@aws-cdk/aws-secretsmanager';

Create a new Secret in a Stack

In order to have SecretsManager generate a new secret value automatically, you can get started with the following:

example of creating a secret

The Secret construct does not allow specifying the SecretString property of the AWS::SecretsManager::Secret resource (as this will almost always lead to the secret being surfaced in plain text and possibly committed to your source control).

If you need to use a pre-existing secret, the recommended way is to manually provision the secret in AWS SecretsManager and use the Secret.fromSecretArn or Secret.fromSecretAttributes method to make it available in your CDK Application:

const secret = secretsmanager.Secret.fromSecretAttributes(scope, 'ImportedSecret', {
  secretArn: 'arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>',
  // If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
  encryptionKey,
});

SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.

A secret can set RemovalPolicy. If it set to RETAIN, that removing a secret will fail.

Grant permission to use the secret to a role

You must grant permission to a resource for that resource to be allowed to use a secret. This can be achieved with the Secret.grantRead and/or Secret.grantUpdate method, depending on your need:

const role = new iam.Role(stack, 'SomeRole', { assumedBy: new iam.AccountRootPrincipal() });
const secret = new secretsmanager.Secret(stack, 'Secret');
secret.grantRead(role);
secret.grantWrite(role);

If, as in the following example, your secret was created with a KMS key:

const key = new kms.Key(stack, 'KMS');
const secret = new secretsmanager.Secret(stack, 'Secret', { encryptionKey: key });
secret.grantRead(role);
secret.grantWrite(role);

then Secret.grantRead and Secret.grantWrite will also grant the role the relevant encrypt and decrypt permissions to the KMS key through the SecretsManager service principal.

Rotating a Secret with a custom Lambda function

A rotation schedule can be added to a Secret using a custom Lambda function:

const fn = new lambda.Function(...);
const secret = new secretsmanager.Secret(this, 'Secret');

secret.addRotationSchedule('RotationSchedule', {
  rotationLambda: fn,
  automaticallyAfter: Duration.days(15)
});

See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.

Rotating database credentials

Define a SecretRotation to rotate database credentials:

new secretsmanager.SecretRotation(this, 'SecretRotation', {
  application: secretsmanager.SecretRotationApplication.MYSQL_ROTATION_SINGLE_USER, // MySQL single user scheme
  secret: mySecret,
  target: myDatabase, // a Connectable
  vpc: myVpc, // The VPC where the secret rotation application will be deployed
  excludeCharacters: ' %+:;{}', // characters to never use when generating new passwords;
                                // by default, no characters are excluded,
                                // which might cause problems with some services, like DMS
});

The secret must be a JSON string with the following format:

{
  "engine": "<required: database engine>",
  "host": "<required: instance host name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<optional: database name>",
  "port": "<optional: if not specified, default port will be used>",
  "masterarn": "<required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>"
}

For the multi user scheme, a masterSecret must be specified:

new secretsmanager.SecretRotation(stack, 'SecretRotation', {
  application: secretsmanager.SecretRotationApplication.MYSQL_ROTATION_MULTI_USER,
  secret: myUserSecret, // The secret that will be rotated
  masterSecret: myMasterSecret, // The secret used for the rotation
  target: myDatabase,
  vpc: myVpc,
});

See also aws-rds where credentials generation and rotation is integrated.

Importing Secrets

Existing secrets can be imported by ARN, name, and other attributes (including the KMS key used to encrypt the secret). Secrets imported by name can used the short-form of the name (without the SecretsManager-provided suffx); the secret name must exist in the same account and region as the stack. Importing by name makes it easier to reference secrets created in different regions, each with their own suffix and ARN.

import * as kms from '@aws-cdk/aws-kms';

const secretArn = 'arn:aws:secretsmanager:eu-west-1:111111111111:secret:MySecret-f3gDy9';
const encryptionKey = kms.Key.fromKeyArn(stack, 'MyEncKey', 'arn:aws:kms:eu-west-1:111111111111:key/21c4b39b-fde2-4273-9ac0-d9bb5c0d0030');
const mySecretFromArn = secretsmanager.Secret.fromSecretArn(stack, 'SecretFromArn', secretArn);
const mySecretFromName = secretsmanager.Secret.fromSecretName(stack, 'SecretFromName', 'MySecret') // Note: the -f3gDy9 suffix is optional
const mySecretFromAttrs = secretsmanager.Secret.fromSecretAttributes(stack, 'SecretFromAttributes', {
  secretArn,
  encryptionKey,
  secretName: 'MySecret', // Optional, will be calculated from the ARN
});

Keywords

FAQs

What is @aws-cdk/aws-secretsmanager?

Is @aws-cdk/aws-secretsmanager well maintained?

Last updated on 07 Oct 2020

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install