Package software.amazon.awscdk.services.secretsmanager

Class Secret

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.core.Construct
software.amazon.awscdk.core.Resource
software.amazon.awscdk.services.secretsmanager.Secret
All Implemented Interfaces:
IConstruct, IDependable, IResource, ISecret, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct
Direct Known Subclasses:
DatabaseSecret, DatabaseSecret, DatabaseSecret
@Generated(value="jsii-pacmak/1.84.0 (build 5404dcf)", date="2023-06-19T16:30:41.301Z") @Stability(Stable) public class Secret extends Resource implements ISecret
Creates a new secret in AWS SecretsManager.

Example: 

 // Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret.
 User user = new User(this, "User");
 AccessKey accessKey = AccessKey.Builder.create(this, "AccessKey").user(user).build();
 SecretStringValueBeta1 secretValue = SecretStringValueBeta1.fromToken(accessKey.secretAccessKey.toString());
 Secret.Builder.create(this, "Secret")
         .secretStringBeta1(secretValue)
         .build();

  • Constructor Details

    • Secret

      protected Secret(software.amazon.jsii.JsiiObjectRef objRef)

    • Secret

      protected Secret(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • Secret

      @Stability(Stable) public Secret(@NotNull software.constructs.Construct scope, @NotNull String id, @Nullable SecretProps props)
      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      props -

    • Secret

      @Stability(Stable) public Secret(@NotNull software.constructs.Construct scope, @NotNull String id)
      Parameters:
      scope - This parameter is required.
      id - This parameter is required.

  • Method Details

    • fromSecretArn

      @Stability(Deprecated) @Deprecated @NotNull public static ISecret fromSecretArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String secretArn)
      Deprecated.
      use fromSecretCompleteArn or fromSecretPartialArn
      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      secretArn - This parameter is required.

    • fromSecretAttributes

      @Stability(Stable) @NotNull public static ISecret fromSecretAttributes(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull SecretAttributes attrs)
      Import an existing secret into the Stack.

      Parameters:
      scope - the scope of the import. This parameter is required.
      id - the ID of the imported Secret in the construct tree. This parameter is required.
      attrs - the attributes of the imported secret. This parameter is required.

    • fromSecretCompleteArn

      @Stability(Stable) @NotNull public static ISecret fromSecretCompleteArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String secretCompleteArn)
      Imports a secret by complete ARN.

      The complete ARN is the ARN with the Secrets Manager-supplied suffix.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      secretCompleteArn - This parameter is required.

    • fromSecretName

      @Stability(Deprecated) @Deprecated @NotNull public static ISecret fromSecretName(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String secretName)
      Deprecated.
      use fromSecretNameV2
      (deprecated) Imports a secret by secret name;

      the ARN of the Secret will be set to the secret name. A secret with this name must exist in the same account & region.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      secretName - This parameter is required.

    • fromSecretNameV2

      @Stability(Stable) @NotNull public static ISecret fromSecretNameV2(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String secretName)
      Imports a secret by secret name.

      A secret with this name must exist in the same account & region. Replaces the deprecated fromSecretName.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      secretName - This parameter is required.

    • fromSecretPartialArn

      @Stability(Stable) @NotNull public static ISecret fromSecretPartialArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String secretPartialArn)
      Imports a secret by partial ARN.

      The partial ARN is the ARN without the Secrets Manager-supplied suffix.

      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      secretPartialArn - This parameter is required.

    • addReplicaRegion

      @Stability(Stable) public void addReplicaRegion(@NotNull String region, @Nullable IKey encryptionKey)
      Adds a replica region for the secret.

      Parameters:
      region - The name of the region. This parameter is required.
      encryptionKey - The customer-managed encryption key to use for encrypting the secret value.

    • addReplicaRegion

      @Stability(Stable) public void addReplicaRegion(@NotNull String region)
      Adds a replica region for the secret.

      Parameters:
      region - The name of the region. This parameter is required.

    • addRotationSchedule

      @Stability(Stable) @NotNull public RotationSchedule addRotationSchedule(@NotNull String id, @NotNull RotationScheduleOptions options)
      Adds a rotation schedule to the secret.

      Specified by:
      addRotationSchedule in interface ISecret
      Parameters:
      id - This parameter is required.
      options - This parameter is required.

    • addTargetAttachment

      @Stability(Deprecated) @Deprecated @NotNull public SecretTargetAttachment addTargetAttachment(@NotNull String id, @NotNull AttachedSecretOptions options)
      Deprecated.
      use attach() instead
      (deprecated) Adds a target attachment to the secret.

      Parameters:
      id - This parameter is required.
      options - This parameter is required.
      Returns:
      an AttachedSecret

    • addToResourcePolicy

      @Stability(Stable) @NotNull public AddToResourcePolicyResult addToResourcePolicy(@NotNull PolicyStatement statement)
      Adds a statement to the IAM resource policy associated with this secret.

      If this secret was created in this stack, a resource policy will be automatically created upon the first call to addToResourcePolicy. If the secret is imported, then this is a no-op.

      Specified by:
      addToResourcePolicy in interface ISecret
      Parameters:
      statement - This parameter is required.

    • attach

      @Stability(Stable) @NotNull public ISecret attach(@NotNull ISecretAttachmentTarget target)
      Attach a target to this secret.

      Specified by:
      attach in interface ISecret
      Parameters:
      target - The target to attach. This parameter is required.
      Returns:
      An attached secret

    • denyAccountRootDelete

      @Stability(Stable) public void denyAccountRootDelete()
      Denies the DeleteSecret action to all principals within the current account.
      Specified by:
      denyAccountRootDelete in interface ISecret

    • grantRead

      @Stability(Stable) @NotNull public Grant grantRead(@NotNull IGrantable grantee, @Nullable List<String> versionStages)
      Grants reading the secret value to some role.

      Specified by:
      grantRead in interface ISecret
      Parameters:
      grantee - This parameter is required.
      versionStages -

    • grantRead

      @Stability(Stable) @NotNull public Grant grantRead(@NotNull IGrantable grantee)
      Grants reading the secret value to some role.

      Specified by:
      grantRead in interface ISecret
      Parameters:
      grantee - This parameter is required.

    • grantWrite

      @Stability(Stable) @NotNull public Grant grantWrite(@NotNull IGrantable grantee)
      Grants writing and updating the secret value to some role.

      Specified by:
      grantWrite in interface ISecret
      Parameters:
      grantee - This parameter is required.

    • secretValueFromJson

      @Stability(Stable) @NotNull public SecretValue secretValueFromJson(@NotNull String jsonField)
      Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

      Specified by:
      secretValueFromJson in interface ISecret
      Parameters:
      jsonField - This parameter is required.

    • validate

      @Stability(Stable) @NotNull protected List<String> validate()
      Validate the current construct.

      This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.

      Overrides:
      validate in class Construct
      Returns:
      An array of validation error messages, or an empty array if the construct is valid.

    • getArnForPolicies

      @Stability(Stable) @NotNull protected String getArnForPolicies()
      Provides an identifier for this secret for use in IAM policies.

      If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.

    • getAutoCreatePolicy

      @Stability(Stable) @NotNull protected Boolean getAutoCreatePolicy()

    • getSecretArn

      @Stability(Stable) @NotNull public String getSecretArn()
      The ARN of the secret in AWS Secrets Manager.

      Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

      Specified by:
      getSecretArn in interface ISecret

    • getSecretName

      @Stability(Stable) @NotNull public String getSecretName()
      The name of the secret.

      For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

      Specified by:
      getSecretName in interface ISecret

    • getSecretValue

      @Stability(Stable) @NotNull public SecretValue getSecretValue()
      Retrieve the value of the stored secret as a SecretValue.
      Specified by:
      getSecretValue in interface ISecret

    • getEncryptionKey

      @Stability(Stable) @Nullable public IKey getEncryptionKey()
      The customer-managed encryption key that is used to encrypt this secret, if any.

      When not specified, the default KMS key for the account and region is being used.

      Specified by:
      getEncryptionKey in interface ISecret

    • getSecretFullArn

      @Stability(Stable) @Nullable public String getSecretFullArn()
      The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

      This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

      Specified by:
      getSecretFullArn in interface ISecret