AWS Secrets Manager Construct Library
Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically, you can get started with the following:
Secret construct does not allow specifying the
AWS::SecretsManager::Secret resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in AWS SecretsManager and use the
Secret.fromSecretAttributes method to make it available in your CDK Application:
SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.
A secret can set
RemovalPolicy. If it set to
RETAIN, that removing a secret will fail.
Grant permission to use the secret to a role
You must grant permission to a resource for that resource to be allowed to
use a secret. This can be achieved with the
method, depending on your need:
If, as in the following example, your secret was created with a KMS key:
Secret.grantWrite will also grant the role the
relevant encrypt and decrypt permissions to the KMS key through the
SecretsManager service principal.
Rotating a Secret with a custom Lambda function
A rotation schedule can be added to a Secret using a custom Lambda function:
See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.
Rotating database credentials
SecretRotation to rotate database credentials:
new SecretRotationthis, 'SecretRotation',;
The secret must be a JSON string with the following format:
For the multi user scheme, a
masterSecret must be specified:
new SecretRotationstack, 'SecretRotation',;
See also aws-rds where credentials generation and rotation is integrated.