Viewing docs for AWS v7.24.0
published on Tuesday, Mar 31, 2026 by Pulumi
published on Tuesday, Mar 31, 2026 by Pulumi
Viewing docs for AWS v7.24.0
published on Tuesday, Mar 31, 2026 by Pulumi
published on Tuesday, Mar 31, 2026 by Pulumi
Retrieve the versions of a Secrets Manager secret. To retrieve secret metadata, see the data sources aws.secretsmanager.Secret and aws.secretsmanager.SecretVersion.
Example Usage
Retrieve All Versions of a Secret
By default, this data sources retrieves all versions of a secret.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const secret_versions = aws.secretsmanager.getSecretVersions({
secretId: example.id,
});
import pulumi
import pulumi_aws as aws
secret_versions = aws.secretsmanager.get_secret_versions(secret_id=example["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/secretsmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretsmanager.GetSecretVersions(ctx, &secretsmanager.GetSecretVersionsArgs{
SecretId: example.Id,
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var secret_versions = Aws.SecretsManager.GetSecretVersions.Invoke(new()
{
SecretId = example.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.secretsmanager.SecretsmanagerFunctions;
import com.pulumi.aws.secretsmanager.inputs.GetSecretVersionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var secret-versions = SecretsmanagerFunctions.getSecretVersions(GetSecretVersionsArgs.builder()
.secretId(example.id())
.build());
}
}
variables:
secret-versions:
fn::invoke:
function: aws:secretsmanager:getSecretVersions
arguments:
secretId: ${example.id}
Retrieve Specific Secret Version
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const by_version_stage = aws.secretsmanager.getSecretVersion({
secretId: example.id,
versionStage: "example",
});
import pulumi
import pulumi_aws as aws
by_version_stage = aws.secretsmanager.get_secret_version(secret_id=example["id"],
version_stage="example")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/secretsmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretsmanager.LookupSecretVersion(ctx, &secretsmanager.LookupSecretVersionArgs{
SecretId: example.Id,
VersionStage: pulumi.StringRef("example"),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var by_version_stage = Aws.SecretsManager.GetSecretVersion.Invoke(new()
{
SecretId = example.Id,
VersionStage = "example",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.secretsmanager.SecretsmanagerFunctions;
import com.pulumi.aws.secretsmanager.inputs.GetSecretVersionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var by-version-stage = SecretsmanagerFunctions.getSecretVersion(GetSecretVersionArgs.builder()
.secretId(example.id())
.versionStage("example")
.build());
}
}
variables:
by-version-stage:
fn::invoke:
function: aws:secretsmanager:getSecretVersion
arguments:
secretId: ${example.id}
versionStage: example
Handling Key-Value Secret Strings in JSON
Reading key-value pairs from JSON back into a native Terraform map can be accomplished in Terraform 0.12 and later with the jsondecode() function:
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
export const example = std.jsondecode({
input: exampleAwsSecretsmanagerSecretVersion.secretString,
}).then(invoke => invoke.result?.key1);
import pulumi
import pulumi_std as std
pulumi.export("example", std.jsondecode(input=example_aws_secretsmanager_secret_version["secretString"]).result["key1"])
package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
ctx.Export("example", pulumi.Any(std.Jsondecode(ctx, &std.JsondecodeArgs{
Input: exampleAwsSecretsmanagerSecretVersion.SecretString,
}, nil).Result.Key1))
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
return new Dictionary<string, object?>
{
["example"] = Std.Jsondecode.Invoke(new()
{
Input = exampleAwsSecretsmanagerSecretVersion.SecretString,
}).Apply(invoke => invoke.Result?.Key1),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.JsondecodeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
ctx.export("example", StdFunctions.jsondecode(JsondecodeArgs.builder()
.input(exampleAwsSecretsmanagerSecretVersion.secretString())
.build()).result().key1());
}
}
outputs:
example:
fn::invoke:
function: std:jsondecode
arguments:
input: ${exampleAwsSecretsmanagerSecretVersion.secretString}
return: result.key1
Using getSecretVersions
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getSecretVersions(args: GetSecretVersionsArgs, opts?: InvokeOptions): Promise<GetSecretVersionsResult>
function getSecretVersionsOutput(args: GetSecretVersionsOutputArgs, opts?: InvokeOptions): Output<GetSecretVersionsResult>def get_secret_versions(include_deprecated: Optional[bool] = None,
region: Optional[str] = None,
secret_id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetSecretVersionsResult
def get_secret_versions_output(include_deprecated: Optional[pulumi.Input[bool]] = None,
region: Optional[pulumi.Input[str]] = None,
secret_id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetSecretVersionsResult]func GetSecretVersions(ctx *Context, args *GetSecretVersionsArgs, opts ...InvokeOption) (*GetSecretVersionsResult, error)
func GetSecretVersionsOutput(ctx *Context, args *GetSecretVersionsOutputArgs, opts ...InvokeOption) GetSecretVersionsResultOutput> Note: This function is named GetSecretVersions in the Go SDK.
public static class GetSecretVersions
{
public static Task<GetSecretVersionsResult> InvokeAsync(GetSecretVersionsArgs args, InvokeOptions? opts = null)
public static Output<GetSecretVersionsResult> Invoke(GetSecretVersionsInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetSecretVersionsResult> getSecretVersions(GetSecretVersionsArgs args, InvokeOptions options)
public static Output<GetSecretVersionsResult> getSecretVersions(GetSecretVersionsArgs args, InvokeOptions options)
fn::invoke:
function: aws:secretsmanager/getSecretVersions:getSecretVersions
arguments:
# arguments dictionaryThe following arguments are supported:
- Secret
Id string - Specifies the secret containing the version that you want to retrieve. You can specify either the ARN or the friendly name of the secret.
- Include
Deprecated bool - If true, all deprecated secret versions are included in the response.
If false, no deprecated secret versions are included in the response. If no value is specified, the default value is
false. - Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Secret
Id string - Specifies the secret containing the version that you want to retrieve. You can specify either the ARN or the friendly name of the secret.
- Include
Deprecated bool - If true, all deprecated secret versions are included in the response.
If false, no deprecated secret versions are included in the response. If no value is specified, the default value is
false. - Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- secret
Id String - Specifies the secret containing the version that you want to retrieve. You can specify either the ARN or the friendly name of the secret.
- include
Deprecated Boolean - If true, all deprecated secret versions are included in the response.
If false, no deprecated secret versions are included in the response. If no value is specified, the default value is
false. - region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- secret
Id string - Specifies the secret containing the version that you want to retrieve. You can specify either the ARN or the friendly name of the secret.
- include
Deprecated boolean - If true, all deprecated secret versions are included in the response.
If false, no deprecated secret versions are included in the response. If no value is specified, the default value is
false. - region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- secret_
id str - Specifies the secret containing the version that you want to retrieve. You can specify either the ARN or the friendly name of the secret.
- include_
deprecated bool - If true, all deprecated secret versions are included in the response.
If false, no deprecated secret versions are included in the response. If no value is specified, the default value is
false. - region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- secret
Id String - Specifies the secret containing the version that you want to retrieve. You can specify either the ARN or the friendly name of the secret.
- include
Deprecated Boolean - If true, all deprecated secret versions are included in the response.
If false, no deprecated secret versions are included in the response. If no value is specified, the default value is
false. - region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
getSecretVersions Result
The following output properties are available:
- Arn string
- ARN of the secret.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Region string
- Secret
Id string - Versions
List<Get
Secret Versions Version> - List of the versions of the secret. Attributes are specified below.
- Include
Deprecated bool
- Arn string
- ARN of the secret.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Region string
- Secret
Id string - Versions
[]Get
Secret Versions Version - List of the versions of the secret. Attributes are specified below.
- Include
Deprecated bool
- arn String
- ARN of the secret.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- region String
- secret
Id String - versions
List<Get
Secret Versions Version> - List of the versions of the secret. Attributes are specified below.
- include
Deprecated Boolean
- arn string
- ARN of the secret.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- region string
- secret
Id string - versions
Get
Secret Versions Version[] - List of the versions of the secret. Attributes are specified below.
- include
Deprecated boolean
- arn str
- ARN of the secret.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- region str
- secret_
id str - versions
Sequence[Get
Secret Versions Version] - List of the versions of the secret. Attributes are specified below.
- include_
deprecated bool
- arn String
- ARN of the secret.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- region String
- secret
Id String - versions List<Property Map>
- List of the versions of the secret. Attributes are specified below.
- include
Deprecated Boolean
Supporting Types
GetSecretVersionsVersion
- Created
Time string - Date and time this version of the secret was created.
- Last
Accessed stringDate - Date that this version of the secret was last accessed.
- Version
Id string - Unique version identifier of this version of the secret.
- Version
Stages List<string> - List of staging labels attached to the version.
- Created
Time string - Date and time this version of the secret was created.
- Last
Accessed stringDate - Date that this version of the secret was last accessed.
- Version
Id string - Unique version identifier of this version of the secret.
- Version
Stages []string - List of staging labels attached to the version.
- created
Time String - Date and time this version of the secret was created.
- last
Accessed StringDate - Date that this version of the secret was last accessed.
- version
Id String - Unique version identifier of this version of the secret.
- version
Stages List<String> - List of staging labels attached to the version.
- created
Time string - Date and time this version of the secret was created.
- last
Accessed stringDate - Date that this version of the secret was last accessed.
- version
Id string - Unique version identifier of this version of the secret.
- version
Stages string[] - List of staging labels attached to the version.
- created_
time str - Date and time this version of the secret was created.
- last_
accessed_ strdate - Date that this version of the secret was last accessed.
- version_
id str - Unique version identifier of this version of the secret.
- version_
stages Sequence[str] - List of staging labels attached to the version.
- created
Time String - Date and time this version of the secret was created.
- last
Accessed StringDate - Date that this version of the secret was last accessed.
- version
Id String - Unique version identifier of this version of the secret.
- version
Stages List<String> - List of staging labels attached to the version.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
Viewing docs for AWS v7.24.0
published on Tuesday, Mar 31, 2026 by Pulumi
published on Tuesday, Mar 31, 2026 by Pulumi
