1. Packages
  2. AWS Classic
  3. API Docs
  4. kms
  5. getSecrets

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.27.0 published on Monday, Mar 18, 2024 by Pulumi

aws.kms.getSecrets

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.27.0 published on Monday, Mar 18, 2024 by Pulumi

    Decrypt multiple secrets from data encrypted with the AWS KMS service.

    Example Usage

    If you do not already have a CiphertextBlob from encrypting a KMS secret, you can use the below commands to obtain one using the AWS CLI kms encrypt command. This requires you to have your AWS CLI setup correctly and replace the --key-id with your own. Alternatively you can use --plaintext 'master-password' (CLIv1) or --plaintext fileb://<(echo -n 'master-password') (CLIv2) instead of reading from a file.

    If you have a newline character at the end of your file, it will be decrypted with this newline character intact. For most use cases this is undesirable and leads to incorrect passwords or invalid values, as well as possible changes in the plan. Be sure to use echo -n if necessary. If you are using asymmetric keys ensure you are using the right encryption algorithm when you encrypt and decrypt else you will get IncorrectKeyException during the decrypt phase.

    %!e(MISSING)cho -n 'master-password' > plaintext-password
    %!a(MISSING)ws kms encrypt --key-id ab123456-c012-4567-890a-deadbeef123 --plaintext fileb://plaintext-password --encryption-context foo=bar --output text --query CiphertextBlob
    AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==
    %!a(MISSING)ws kms encrypt --key-id ab123456-c012-4567-890a-deadbeef123 --plaintext fileb://plaintext-password --encryption-algorithm RSAES_OAEP_SHA_256 --output text --query CiphertextBlob
    AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==
    

    That encrypted output can now be inserted into provider configurations without exposing the plaintext secret directly.

    Using getSecrets

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getSecrets(args: GetSecretsArgs, opts?: InvokeOptions): Promise<GetSecretsResult>
    function getSecretsOutput(args: GetSecretsOutputArgs, opts?: InvokeOptions): Output<GetSecretsResult>
    def get_secrets(secrets: Optional[Sequence[GetSecretsSecret]] = None,
                    opts: Optional[InvokeOptions] = None) -> GetSecretsResult
    def get_secrets_output(secrets: Optional[pulumi.Input[Sequence[pulumi.Input[GetSecretsSecretArgs]]]] = None,
                    opts: Optional[InvokeOptions] = None) -> Output[GetSecretsResult]
    func GetSecrets(ctx *Context, args *GetSecretsArgs, opts ...InvokeOption) (*GetSecretsResult, error)
    func GetSecretsOutput(ctx *Context, args *GetSecretsOutputArgs, opts ...InvokeOption) GetSecretsResultOutput

    > Note: This function is named GetSecrets in the Go SDK.

    public static class GetSecrets 
    {
        public static Task<GetSecretsResult> InvokeAsync(GetSecretsArgs args, InvokeOptions? opts = null)
        public static Output<GetSecretsResult> Invoke(GetSecretsInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetSecretsResult> getSecrets(GetSecretsArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: aws:kms/getSecrets:getSecrets
      arguments:
        # arguments dictionary

    The following arguments are supported:

    Secrets List<GetSecretsSecret>
    One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.
    Secrets []GetSecretsSecret
    One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.
    secrets List<GetSecretsSecret>
    One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.
    secrets GetSecretsSecret[]
    One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.
    secrets Sequence[GetSecretsSecret]
    One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.
    secrets List<Property Map>
    One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.

    getSecrets Result

    The following output properties are available:

    Id string
    The provider-assigned unique ID for this managed resource.
    Plaintext Dictionary<string, string>
    Map containing each secret name as the key with its decrypted plaintext value
    Secrets List<GetSecretsSecret>
    Id string
    The provider-assigned unique ID for this managed resource.
    Plaintext map[string]string
    Map containing each secret name as the key with its decrypted plaintext value
    Secrets []GetSecretsSecret
    id String
    The provider-assigned unique ID for this managed resource.
    plaintext Map<String,String>
    Map containing each secret name as the key with its decrypted plaintext value
    secrets List<GetSecretsSecret>
    id string
    The provider-assigned unique ID for this managed resource.
    plaintext {[key: string]: string}
    Map containing each secret name as the key with its decrypted plaintext value
    secrets GetSecretsSecret[]
    id str
    The provider-assigned unique ID for this managed resource.
    plaintext Mapping[str, str]
    Map containing each secret name as the key with its decrypted plaintext value
    secrets Sequence[GetSecretsSecret]
    id String
    The provider-assigned unique ID for this managed resource.
    plaintext Map<String>
    Map containing each secret name as the key with its decrypted plaintext value
    secrets List<Property Map>

    Supporting Types

    GetSecretsSecret

    Name string
    Name to export this secret under in the attributes.
    Payload string
    Base64 encoded payload, as returned from a KMS encrypt operation.
    Context Dictionary<string, string>
    An optional mapping that makes up the Encryption Context for the secret.
    EncryptionAlgorithm string
    The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE
    GrantTokens List<string>
    An optional list of Grant Tokens for the secret.
    KeyId string

    Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.

    For more information on context and grant_tokens see the KMS Concepts

    Name string
    Name to export this secret under in the attributes.
    Payload string
    Base64 encoded payload, as returned from a KMS encrypt operation.
    Context map[string]string
    An optional mapping that makes up the Encryption Context for the secret.
    EncryptionAlgorithm string
    The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE
    GrantTokens []string
    An optional list of Grant Tokens for the secret.
    KeyId string

    Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.

    For more information on context and grant_tokens see the KMS Concepts

    name String
    Name to export this secret under in the attributes.
    payload String
    Base64 encoded payload, as returned from a KMS encrypt operation.
    context Map<String,String>
    An optional mapping that makes up the Encryption Context for the secret.
    encryptionAlgorithm String
    The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE
    grantTokens List<String>
    An optional list of Grant Tokens for the secret.
    keyId String

    Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.

    For more information on context and grant_tokens see the KMS Concepts

    name string
    Name to export this secret under in the attributes.
    payload string
    Base64 encoded payload, as returned from a KMS encrypt operation.
    context {[key: string]: string}
    An optional mapping that makes up the Encryption Context for the secret.
    encryptionAlgorithm string
    The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE
    grantTokens string[]
    An optional list of Grant Tokens for the secret.
    keyId string

    Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.

    For more information on context and grant_tokens see the KMS Concepts

    name str
    Name to export this secret under in the attributes.
    payload str
    Base64 encoded payload, as returned from a KMS encrypt operation.
    context Mapping[str, str]
    An optional mapping that makes up the Encryption Context for the secret.
    encryption_algorithm str
    The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE
    grant_tokens Sequence[str]
    An optional list of Grant Tokens for the secret.
    key_id str

    Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.

    For more information on context and grant_tokens see the KMS Concepts

    name String
    Name to export this secret under in the attributes.
    payload String
    Base64 encoded payload, as returned from a KMS encrypt operation.
    context Map<String>
    An optional mapping that makes up the Encryption Context for the secret.
    encryptionAlgorithm String
    The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE
    grantTokens List<String>
    An optional list of Grant Tokens for the secret.
    keyId String

    Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.

    For more information on context and grant_tokens see the KMS Concepts

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.27.0 published on Monday, Mar 18, 2024 by Pulumi