AWS Secrets Manager Construct Library
Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically, you can get started with the following:
Secret construct does not allow specifying the
AWS::SecretsManager::Secret resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in AWS SecretsManager and use the
Secret.fromSecretAttributes method to make it available in your CDK Application:
SecretsManager secret values can only be used in select set of properties. For the list of properties, see the CloudFormation Dynamic References documentation.
Rotating a Secret with a custom Lambda function
A rotation schedule can be added to a Secret using a custom Lambda function:
See Overview of the Lambda Rotation Function on how to implement a Lambda Rotation Function.
Rotating database credentials
SecretRotation to rotate database credentials:
new SecretRotationthis, 'SecretRotation',;
The secret must be a JSON string with the following format:
For the multi user scheme, a
masterSecret must be specified:
new SecretRotationstack, 'SecretRotation',;
See also aws-rds where credentials generation and rotation is integrated.