Module secretsmanager

@pulumi/aws > secretsmanager

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class Secret

extends CustomResource

Provides a resource to manage AWS Secrets Manager secret metadata. To manage a secret value, see the aws.secretsmanager.SecretVersion resource.

Example Usage

Basic

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.secretsmanager.Secret("example", {});

Rotation Configuration

To enable automatic secret rotation, the Secrets Manager service requires usage of a Lambda function. The Rotate Secrets section in the Secrets Manager User Guide provides additional information about deploying a prebuilt Lambda functions for supported credential rotation (e.g. RDS) or deploying a custom Lambda function.

NOTE: Configuring rotation causes the secret to rotate once as soon as you store the secret. Before you do this, you must ensure that all of your applications that use the credentials stored in the secret are updated to retrieve the secret from AWS Secrets Manager. The old credentials might no longer be usable after the initial rotation and any applications that you fail to update will break as soon as the old credentials are no longer valid.

NOTE: If you cancel a rotation that is in progress (by removing the rotation configuration), it can leave the VersionStage labels in an unexpected state. Depending on what step of the rotation was in progress, you might need to remove the staging label AWSPENDING from the partially created version, specified by the SecretVersionId response value. You should also evaluate the partially rotated new version to see if it should be deleted, which you can do by removing all staging labels from the new version’s VersionStage field.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const rotationExample = new aws.secretsmanager.Secret("rotation-example", {
    rotationLambdaArn: aws_lambda_function_example.arn,
    rotationRules: {
        automaticallyAfterDays: 7,
    },
});

This content is derived from https://github.com/terraform-providers/terraform-provider-aws/blob/master/website/docs/r/secretsmanager_secret.html.markdown.

constructor

new Secret(name: string, args?: SecretArgs, opts?: pulumi.CustomResourceOptions)

Create a Secret resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretState, opts?: pulumi.CustomResourceOptions): Secret

Get an existing Secret resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of Secret. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

Amazon Resource Name (ARN) of the secret.

property description

public description: pulumi.Output<string | undefined>;

A description of the secret.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property kmsKeyId

public kmsKeyId: pulumi.Output<string | undefined>;

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

property name

public name: pulumi.Output<string>;

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with namePrefix.

property namePrefix

public namePrefix: pulumi.Output<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

public policy: pulumi.Output<string | undefined>;

A valid JSON document representing a resource policy.

property recoveryWindowInDays

public recoveryWindowInDays: pulumi.Output<number | undefined>;

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

property rotationEnabled

public rotationEnabled: pulumi.Output<boolean>;

Specifies whether automatic rotation is enabled for this secret.

property rotationLambdaArn

public rotationLambdaArn: pulumi.Output<string | undefined>;

Specifies the ARN of the Lambda function that can rotate the secret.

property rotationRules

public rotationRules: pulumi.Output<{
    automaticallyAfterDays: number;
} | undefined>;

A structure that defines the rotation configuration for this secret. Defined below.

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

Specifies a key-value map of user-defined tags that are attached to the secret.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class SecretVersion

extends CustomResource

Provides a resource to manage AWS Secrets Manager secret version including its secret value. To manage secret metadata, see the aws.secretsmanager.Secret resource.

NOTE: If the AWSCURRENT staging label is present on this version during resource deletion, that label cannot be removed and will be skipped to prevent errors when fully deleting the secret. That label will leave this secret version active even after the resource is deleted from this provider unless the secret itself is deleted. Move the AWSCURRENT staging label before or after deleting this resource from this provider to fully trigger version deprecation if necessary.

Example Usage

Simple String Value

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.secretsmanager.SecretVersion("example", {
    secretId: aws_secretsmanager_secret_example.id,
    secretString: "example-string-to-protect",
});

Key-Value Pairs

Secrets Manager also accepts key-value pairs in JSON.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const config = new pulumi.Config();
// The map here can come from other supported configurations
// like locals, resource attribute, map() built-in, etc.
const example = config.get("example") || {
    key1: "value1",
    key2: "value2",
};

const exampleSecretVersion = new aws.secretsmanager.SecretVersion("example", {
    secretId: aws_secretsmanager_secret_example.id,
    secretString: (() => {
        throw "tf2pulumi error: NYI: call to jsonencode";
        return (() => { throw "NYI: call to jsonencode"; })();
    })(),
});

This content is derived from https://github.com/terraform-providers/terraform-provider-aws/blob/master/website/docs/r/secretsmanager_secret_version.html.markdown.

constructor

new SecretVersion(name: string, args: SecretVersionArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretVersion resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretVersionState, opts?: pulumi.CustomResourceOptions): SecretVersion

Get an existing SecretVersion resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of SecretVersion. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN of the secret.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property secretBinary

public secretBinary: pulumi.Output<string | undefined>;

Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secretString is not set. Needs to be encoded to base64.

property secretId

public secretId: pulumi.Output<string>;

Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

property secretString

public secretString: pulumi.Output<string | undefined>;

Specifies text data that you want to encrypt and store in this version of the secret. This is required if secretBinary is not set.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property versionId

public versionId: pulumi.Output<string>;

The unique identifier of the version of the secret.

property versionStages

public versionStages: pulumi.Output<string[]>;

Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that’s already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.

function getSecret

getSecret(args?: GetSecretArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretResult> & GetSecretResult

Retrieve metadata information about a Secrets Manager secret. To retrieve a secret value, see the aws.secretsmanager.SecretVersion data source.

Example Usage

ARN

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const byArn = pulumi.output(aws.secretsmanager.getSecret({
    arn: "arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456",
}));

Name

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const byName = pulumi.output(aws.secretsmanager.getSecret({
    name: "example",
}));

This content is derived from https://github.com/terraform-providers/terraform-provider-aws/blob/master/website/docs/d/secretsmanager_secret.html.markdown.

function getSecretVersion

getSecretVersion(args: GetSecretVersionArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretVersionResult> & GetSecretVersionResult

Retrieve information about a Secrets Manager secret version, including its secret value. To retrieve secret metadata, see the aws.secretsmanager.Secret data source.

Example Usage

Retrieve Current Secret Version

By default, this data sources retrieves information based on the AWSCURRENT staging label.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = aws_secretsmanager_secret_example.id.apply(id => aws.secretsmanager.getSecretVersion({
    secretId: id,
}));

Retrieve Specific Secret Version

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const byVersionStage = aws_secretsmanager_secret_example.id.apply(id => aws.secretsmanager.getSecretVersion({
    secretId: id,
    versionStage: "example",
}));

This content is derived from https://github.com/terraform-providers/terraform-provider-aws/blob/master/website/docs/d/secretsmanager_secret_version.html.markdown.

interface GetSecretArgs

A collection of arguments for invoking getSecret.

property arn

arn?: undefined | string;

The Amazon Resource Name (ARN) of the secret to retrieve.

property name

name?: undefined | string;

The name of the secret to retrieve.

interface GetSecretResult

A collection of values returned by getSecret.

property arn

arn: string;

The Amazon Resource Name (ARN) of the secret.

property description

description: string;

A description of the secret.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property kmsKeyId

kmsKeyId: string;

The Key Management Service (KMS) Customer Master Key (CMK) associated with the secret.

property name

name: string;

property policy

policy: string;

The resource-based policy document that’s attached to the secret.

property rotationEnabled

rotationEnabled: boolean;

Whether rotation is enabled or not.

property rotationLambdaArn

rotationLambdaArn: string;

Rotation Lambda function Amazon Resource Name (ARN) if rotation is enabled.

property rotationRules

rotationRules: {
    automaticallyAfterDays: number;
}[];

Rotation rules if rotation is enabled.

property tags

tags: {[key: string]: any};

Tags of the secret.

interface GetSecretVersionArgs

A collection of arguments for invoking getSecretVersion.

property secretId

secretId: string;

Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

property versionId

versionId?: undefined | string;

Specifies the unique identifier of the version of the secret that you want to retrieve. Overrides versionStage.

property versionStage

versionStage?: undefined | string;

Specifies the secret version that you want to retrieve by the staging label attached to the version. Defaults to AWSCURRENT.

interface GetSecretVersionResult

A collection of values returned by getSecretVersion.

property arn

arn: string;

The ARN of the secret.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property secretBinary

secretBinary: string;

The decrypted part of the protected secret information that was originally provided as a binary. Base64 encoded.

property secretId

secretId: string;

property secretString

secretString: string;

The decrypted part of the protected secret information that was originally provided as a string.

property versionId

versionId: string;

The unique identifier of this version of the secret.

property versionStage

versionStage?: undefined | string;

property versionStages

versionStages: string[];

interface SecretArgs

The set of arguments for constructing a Secret resource.

property description

description?: pulumi.Input<string>;

A description of the secret.

property kmsKeyId

kmsKeyId?: pulumi.Input<string>;

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

property name

name?: pulumi.Input<string>;

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with namePrefix.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy?: pulumi.Input<string>;

A valid JSON document representing a resource policy.

property recoveryWindowInDays

recoveryWindowInDays?: pulumi.Input<number>;

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

property rotationLambdaArn

rotationLambdaArn?: pulumi.Input<string>;

Specifies the ARN of the Lambda function that can rotate the secret.

property rotationRules

rotationRules?: pulumi.Input<{
    automaticallyAfterDays: pulumi.Input<number>;
}>;

A structure that defines the rotation configuration for this secret. Defined below.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

Specifies a key-value map of user-defined tags that are attached to the secret.

interface SecretState

Input properties used for looking up and filtering Secret resources.

property arn

arn?: pulumi.Input<string>;

Amazon Resource Name (ARN) of the secret.

property description

description?: pulumi.Input<string>;

A description of the secret.

property kmsKeyId

kmsKeyId?: pulumi.Input<string>;

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

property name

name?: pulumi.Input<string>;

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with namePrefix.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy?: pulumi.Input<string>;

A valid JSON document representing a resource policy.

property recoveryWindowInDays

recoveryWindowInDays?: pulumi.Input<number>;

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

property rotationEnabled

rotationEnabled?: pulumi.Input<boolean>;

Specifies whether automatic rotation is enabled for this secret.

property rotationLambdaArn

rotationLambdaArn?: pulumi.Input<string>;

Specifies the ARN of the Lambda function that can rotate the secret.

property rotationRules

rotationRules?: pulumi.Input<{
    automaticallyAfterDays: pulumi.Input<number>;
}>;

A structure that defines the rotation configuration for this secret. Defined below.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

Specifies a key-value map of user-defined tags that are attached to the secret.

interface SecretVersionArgs

The set of arguments for constructing a SecretVersion resource.

property secretBinary

secretBinary?: pulumi.Input<string>;

Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secretString is not set. Needs to be encoded to base64.

property secretId

secretId: pulumi.Input<string>;

Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

property secretString

secretString?: pulumi.Input<string>;

Specifies text data that you want to encrypt and store in this version of the secret. This is required if secretBinary is not set.

property versionStages

versionStages?: pulumi.Input<pulumi.Input<string>[]>;

Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that’s already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.

interface SecretVersionState

Input properties used for looking up and filtering SecretVersion resources.

property arn

arn?: pulumi.Input<string>;

The ARN of the secret.

property secretBinary

secretBinary?: pulumi.Input<string>;

Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secretString is not set. Needs to be encoded to base64.

property secretId

secretId?: pulumi.Input<string>;

Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

property secretString

secretString?: pulumi.Input<string>;

Specifies text data that you want to encrypt and store in this version of the secret. This is required if secretBinary is not set.

property versionId

versionId?: pulumi.Input<string>;

The unique identifier of the version of the secret.

property versionStages

versionStages?: pulumi.Input<pulumi.Input<string>[]>;

Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that’s already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.