AWS v6.80.0, May 6 25

AWS v6.80.0 published on Tuesday, May 6, 2025 by Pulumi

aws.secretsmanager.Secret

Explore with Pulumi AI

AWS v6.80.0 published on Tuesday, May 6, 2025 by Pulumi

pulumi/pulumi-aws

Example Usage

Basic

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.secretsmanager.Secret("example", {name: "example"});

import pulumi
import pulumi_aws as aws

example = aws.secretsmanager.Secret("example", name="example")

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/secretsmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := secretsmanager.NewSecret(ctx, "example", &secretsmanager.SecretArgs{
			Name: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.SecretsManager.Secret("example", new()
    {
        Name = "example",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.secretsmanager.Secret;
import com.pulumi.aws.secretsmanager.SecretArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Secret("example", SecretArgs.builder()
            .name("example")
            .build());

    }
}

resources:
  example:
    type: aws:secretsmanager:Secret
    properties:
      name: example

Create Secret Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Secret(name: string, args?: SecretArgs, opts?: CustomResourceOptions);

@overload
def Secret(resource_name: str,
           args: Optional[SecretArgs] = None,
           opts: Optional[ResourceOptions] = None)

@overload
def Secret(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           description: Optional[str] = None,
           force_overwrite_replica_secret: Optional[bool] = None,
           kms_key_id: Optional[str] = None,
           name: Optional[str] = None,
           name_prefix: Optional[str] = None,
           policy: Optional[str] = None,
           recovery_window_in_days: Optional[int] = None,
           replicas: Optional[Sequence[SecretReplicaArgs]] = None,
           tags: Optional[Mapping[str, str]] = None)

func NewSecret(ctx *Context, name string, args *SecretArgs, opts ...ResourceOption) (*Secret, error)

public Secret(string name, SecretArgs? args = null, CustomResourceOptions? opts = null)

public Secret(String name, SecretArgs args)
public Secret(String name, SecretArgs args, CustomResourceOptions options)

type: aws:secretsmanager:Secret
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var secretResource = new Aws.SecretsManager.Secret("secretResource", new()
{
    Description = "string",
    ForceOverwriteReplicaSecret = false,
    KmsKeyId = "string",
    Name = "string",
    NamePrefix = "string",
    Policy = "string",
    RecoveryWindowInDays = 0,
    Replicas = new[]
    {
        new Aws.SecretsManager.Inputs.SecretReplicaArgs
        {
            Region = "string",
            KmsKeyId = "string",
            LastAccessedDate = "string",
            Status = "string",
            StatusMessage = "string",
        },
    },
    Tags = 
    {
        { "string", "string" },
    },
});

example, err := secretsmanager.NewSecret(ctx, "secretResource", &secretsmanager.SecretArgs{
	Description:                 pulumi.String("string"),
	ForceOverwriteReplicaSecret: pulumi.Bool(false),
	KmsKeyId:                    pulumi.String("string"),
	Name:                        pulumi.String("string"),
	NamePrefix:                  pulumi.String("string"),
	Policy:                      pulumi.String("string"),
	RecoveryWindowInDays:        pulumi.Int(0),
	Replicas: secretsmanager.SecretReplicaArray{
		&secretsmanager.SecretReplicaArgs{
			Region:           pulumi.String("string"),
			KmsKeyId:         pulumi.String("string"),
			LastAccessedDate: pulumi.String("string"),
			Status:           pulumi.String("string"),
			StatusMessage:    pulumi.String("string"),
		},
	},
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
})

var secretResource = new Secret("secretResource", SecretArgs.builder()
    .description("string")
    .forceOverwriteReplicaSecret(false)
    .kmsKeyId("string")
    .name("string")
    .namePrefix("string")
    .policy("string")
    .recoveryWindowInDays(0)
    .replicas(SecretReplicaArgs.builder()
        .region("string")
        .kmsKeyId("string")
        .lastAccessedDate("string")
        .status("string")
        .statusMessage("string")
        .build())
    .tags(Map.of("string", "string"))
    .build());

secret_resource = aws.secretsmanager.Secret("secretResource",
    description="string",
    force_overwrite_replica_secret=False,
    kms_key_id="string",
    name="string",
    name_prefix="string",
    policy="string",
    recovery_window_in_days=0,
    replicas=[{
        "region": "string",
        "kms_key_id": "string",
        "last_accessed_date": "string",
        "status": "string",
        "status_message": "string",
    }],
    tags={
        "string": "string",
    })

const secretResource = new aws.secretsmanager.Secret("secretResource", {
    description: "string",
    forceOverwriteReplicaSecret: false,
    kmsKeyId: "string",
    name: "string",
    namePrefix: "string",
    policy: "string",
    recoveryWindowInDays: 0,
    replicas: [{
        region: "string",
        kmsKeyId: "string",
        lastAccessedDate: "string",
        status: "string",
        statusMessage: "string",
    }],
    tags: {
        string: "string",
    },
});

type: aws:secretsmanager:Secret
properties:
    description: string
    forceOverwriteReplicaSecret: false
    kmsKeyId: string
    name: string
    namePrefix: string
    policy: string
    recoveryWindowInDays: 0
    replicas:
        - kmsKeyId: string
          lastAccessedDate: string
          region: string
          status: string
          statusMessage: string
    tags:
        string: string

Secret Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Secret resource accepts the following input properties:

Description string: Description of the secret.
ForceOverwriteReplicaSecret bool: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
KmsKeyId string: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
Name string: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
NamePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
Policy string: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
RecoveryWindowInDays int: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
Replicas List<SecretReplica>: Configuration block to support secret replication. See details below.
Tags Dictionary<string, string>: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Description string: Description of the secret.
ForceOverwriteReplicaSecret bool: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
KmsKeyId string: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
Name string: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
NamePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
Policy string: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
RecoveryWindowInDays int: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
Replicas []SecretReplicaArgs: Configuration block to support secret replication. See details below.
Tags map[string]string: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

description String: Description of the secret.
forceOverwriteReplicaSecret Boolean: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
kmsKeyId String: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
name String: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
namePrefix String: Creates a unique name beginning with the specified prefix. Conflicts with name.
policy String: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
recoveryWindowInDays Integer: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
replicas List<SecretReplica>: Configuration block to support secret replication. See details below.
tags Map<String,String>: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

description string: Description of the secret.
forceOverwriteReplicaSecret boolean: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
kmsKeyId string: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
name string: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
namePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
policy string: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
recoveryWindowInDays number: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
replicas SecretReplica[]: Configuration block to support secret replication. See details below.
tags {[key: string]: string}: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

description str: Description of the secret.
force_overwrite_replica_secret bool: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
kms_key_id str: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
name str: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
name_prefix str: Creates a unique name beginning with the specified prefix. Conflicts with name.
policy str: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
recovery_window_in_days int: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
replicas Sequence[SecretReplicaArgs]: Configuration block to support secret replication. See details below.
tags Mapping[str, str]: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

description String: Description of the secret.
forceOverwriteReplicaSecret Boolean: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
kmsKeyId String: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
name String: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
namePrefix String: Creates a unique name beginning with the specified prefix. Conflicts with name.
policy String: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
recoveryWindowInDays Number: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
replicas List<Property Map>: Configuration block to support secret replication. See details below.
tags Map<String>: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Outputs

All input properties are implicitly available as output properties. Additionally, the Secret resource produces the following output properties:

Arn string: ARN of the secret.
Id string: The provider-assigned unique ID for this managed resource.
TagsAll Dictionary<string, string>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

Arn string: ARN of the secret.
Id string: The provider-assigned unique ID for this managed resource.
TagsAll map[string]string: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn String: ARN of the secret.
id String: The provider-assigned unique ID for this managed resource.
tagsAll Map<String,String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn string: ARN of the secret.
id string: The provider-assigned unique ID for this managed resource.
tagsAll {[key: string]: string}: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn str: ARN of the secret.
id str: The provider-assigned unique ID for this managed resource.
tags_all Mapping[str, str]: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn String: ARN of the secret.
id String: The provider-assigned unique ID for this managed resource.
tagsAll Map<String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

Look up Existing Secret Resource

Get an existing Secret resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretState, opts?: CustomResourceOptions): Secret

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        description: Optional[str] = None,
        force_overwrite_replica_secret: Optional[bool] = None,
        kms_key_id: Optional[str] = None,
        name: Optional[str] = None,
        name_prefix: Optional[str] = None,
        policy: Optional[str] = None,
        recovery_window_in_days: Optional[int] = None,
        replicas: Optional[Sequence[SecretReplicaArgs]] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None) -> Secret

func GetSecret(ctx *Context, name string, id IDInput, state *SecretState, opts ...ResourceOption) (*Secret, error)

public static Secret Get(string name, Input<string> id, SecretState? state, CustomResourceOptions? opts = null)

public static Secret get(String name, Output<String> id, SecretState state, CustomResourceOptions options)

resources:  _:    type: aws:secretsmanager:Secret    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: ARN of the secret.
Description string: Description of the secret.
ForceOverwriteReplicaSecret bool: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
KmsKeyId string: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
Name string: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
NamePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
Policy string: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
RecoveryWindowInDays int: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
Replicas List<SecretReplica>: Configuration block to support secret replication. See details below.
Tags Dictionary<string, string>: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

Arn string: ARN of the secret.
Description string: Description of the secret.
ForceOverwriteReplicaSecret bool: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
KmsKeyId string: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
Name string: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
NamePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
Policy string: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
RecoveryWindowInDays int: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
Replicas []SecretReplicaArgs: Configuration block to support secret replication. See details below.
Tags map[string]string: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn String: ARN of the secret.
description String: Description of the secret.
forceOverwriteReplicaSecret Boolean: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
kmsKeyId String: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
name String: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
namePrefix String: Creates a unique name beginning with the specified prefix. Conflicts with name.
policy String: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
recoveryWindowInDays Integer: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
replicas List<SecretReplica>: Configuration block to support secret replication. See details below.
tags Map<String,String>: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String,String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn string: ARN of the secret.
description string: Description of the secret.
forceOverwriteReplicaSecret boolean: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
kmsKeyId string: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
name string: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
namePrefix string: Creates a unique name beginning with the specified prefix. Conflicts with name.
policy string: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
recoveryWindowInDays number: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
replicas SecretReplica[]: Configuration block to support secret replication. See details below.
tags {[key: string]: string}: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn str: ARN of the secret.
description str: Description of the secret.
force_overwrite_replica_secret bool: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
kms_key_id str: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
name str: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
name_prefix str: Creates a unique name beginning with the specified prefix. Conflicts with name.
policy str: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
recovery_window_in_days int: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
replicas Sequence[SecretReplicaArgs]: Configuration block to support secret replication. See details below.
tags Mapping[str, str]: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

arn String: ARN of the secret.
description String: Description of the secret.
forceOverwriteReplicaSecret Boolean: Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
kmsKeyId String: ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
name String: Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
namePrefix String: Creates a unique name beginning with the specified prefix. Conflicts with name.
policy String: Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).
recoveryWindowInDays Number: Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
replicas List<Property Map>: Configuration block to support secret replication. See details below.
tags Map<String>: Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String>: Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
Deprecated: Please use tags instead.

Supporting Types

SecretReplica, SecretReplicaArgs

Region string: Region for replicating the secret.
KmsKeyId string: ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.
LastAccessedDate string: Date that you last accessed the secret in the Region.
Status string: Status can be InProgress, Failed, or InSync.
StatusMessage string: Message such as Replication succeeded or Secret with this name already exists in this region.

Region string: Region for replicating the secret.
KmsKeyId string: ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.
LastAccessedDate string: Date that you last accessed the secret in the Region.
Status string: Status can be InProgress, Failed, or InSync.
StatusMessage string: Message such as Replication succeeded or Secret with this name already exists in this region.

region String: Region for replicating the secret.
kmsKeyId String: ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.
lastAccessedDate String: Date that you last accessed the secret in the Region.
status String: Status can be InProgress, Failed, or InSync.
statusMessage String: Message such as Replication succeeded or Secret with this name already exists in this region.

region string: Region for replicating the secret.
kmsKeyId string: ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.
lastAccessedDate string: Date that you last accessed the secret in the Region.
status string: Status can be InProgress, Failed, or InSync.
statusMessage string: Message such as Replication succeeded or Secret with this name already exists in this region.

region str: Region for replicating the secret.
kms_key_id str: ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.
last_accessed_date str: Date that you last accessed the secret in the Region.
status str: Status can be InProgress, Failed, or InSync.
status_message str: Message such as Replication succeeded or Secret with this name already exists in this region.

region String: Region for replicating the secret.
kmsKeyId String: ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.
lastAccessedDate String: Date that you last accessed the secret in the Region.
status String: Status can be InProgress, Failed, or InSync.
statusMessage String: Message such as Replication succeeded or Secret with this name already exists in this region.

Import

Using pulumi import, import aws_secretsmanager_secret using the secret Amazon Resource Name (ARN). For example:

$ pulumi import aws:secretsmanager/secret:Secret example arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: AWS Classic pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

AWS v6.80.0 published on Tuesday, May 6, 2025 by Pulumi

pulumi/pulumi-aws

aws.secretsmanager.Secret

On this page

On this page

Example Usage

Basic

Create Secret Resource

Constructor syntax

Parameters

Constructor example

Secret Resource Properties

Inputs

Outputs

Look up Existing Secret Resource

Supporting Types

SecretReplica, SecretReplicaArgs

Import

Package Details

On this page

On this page