AWS Secrets Manager Construct Library
Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically, you can get started with the following:
Secret construct does not allow specifying the
AWS::SecretsManager::Secret resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in AWS SecretsManager and use the
Secret.fromSecretAttributes method to make it available in your CDK Application:
SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.
A secret can set
RemovalPolicy. If it set to
RETAIN, that removing a secret will fail.
Grant permission to use the secret to a role
You must grant permission to a resource for that resource to be allowed to
use a secret. This can be achieved with the
method, depending on your need:
If, as in the following example, your secret was created with a KMS key:
Secret.grantWrite will also grant the role the
relevant encrypt and decrypt permissions to the KMS key through the
SecretsManager service principal.
Rotating a Secret
Using a Custom Lambda Function
A rotation schedule can be added to a Secret using a custom Lambda function:
See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.
Using a Hosted Lambda Function
hostedRotation prop to rotate a secret with a hosted Lambda function:
Hosted rotation is available for secrets representing credentials for MySQL, PostgreSQL, Oracle, MariaDB, SQLServer, Redshift and MongoDB (both for the single and multi user schemes).
When deployed in a VPC, the hosted rotation implements
Rotating database credentials
SecretRotation to rotate database credentials:
new secretsmanager.SecretRotationthis, 'SecretRotation',;
The secret must be a JSON string with the following format:
For the multi user scheme, a
masterSecret must be specified:
new secretsmanager.SecretRotationstack, 'SecretRotation',;
See also aws-rds where credentials generation and rotation is integrated.
Existing secrets can be imported by ARN, name, and other attributes (including the KMS key used to encrypt the secret). Secrets imported by name can used the short-form of the name (without the SecretsManager-provided suffx); the secret name must exist in the same account and region as the stack. Importing by name makes it easier to reference secrets created in different regions, each with their own suffix and ARN.