1. Packages
  2. AWS Classic
  3. API Docs
  4. secretsmanager
  5. Secret

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.3.0 published on Thursday, Sep 28, 2023 by Pulumi

aws.secretsmanager.Secret

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.3.0 published on Thursday, Sep 28, 2023 by Pulumi

    Provides a resource to manage AWS Secrets Manager secret metadata. To manage secret rotation, see the aws.secretsmanager.SecretRotation resource. To manage a secret value, see the aws.secretsmanager.SecretVersion resource.

    Example Usage

    Basic

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.SecretsManager.Secret("example");
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/secretsmanager"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := secretsmanager.NewSecret(ctx, "example", nil)
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.secretsmanager.Secret;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Secret("example");
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.secretsmanager.Secret("example")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.secretsmanager.Secret("example", {});
    
    resources:
      example:
        type: aws:secretsmanager:Secret
    

    Create Secret Resource

    new Secret(name: string, args?: SecretArgs, opts?: CustomResourceOptions);
    @overload
    def Secret(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               description: Optional[str] = None,
               force_overwrite_replica_secret: Optional[bool] = None,
               kms_key_id: Optional[str] = None,
               name: Optional[str] = None,
               name_prefix: Optional[str] = None,
               policy: Optional[str] = None,
               recovery_window_in_days: Optional[int] = None,
               replicas: Optional[Sequence[SecretReplicaArgs]] = None,
               tags: Optional[Mapping[str, str]] = None)
    @overload
    def Secret(resource_name: str,
               args: Optional[SecretArgs] = None,
               opts: Optional[ResourceOptions] = None)
    func NewSecret(ctx *Context, name string, args *SecretArgs, opts ...ResourceOption) (*Secret, error)
    public Secret(string name, SecretArgs? args = null, CustomResourceOptions? opts = null)
    public Secret(String name, SecretArgs args)
    public Secret(String name, SecretArgs args, CustomResourceOptions options)
    
    type: aws:secretsmanager:Secret
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args SecretArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Secret Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Secret resource accepts the following input properties:

    Description string

    Description of the secret.

    ForceOverwriteReplicaSecret bool

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    KmsKeyId string

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    Name string

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    NamePrefix string

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    Policy string

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    RecoveryWindowInDays int

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    Replicas List<SecretReplica>

    Configuration block to support secret replication. See details below.

    Tags Dictionary<string, string>

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Description string

    Description of the secret.

    ForceOverwriteReplicaSecret bool

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    KmsKeyId string

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    Name string

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    NamePrefix string

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    Policy string

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    RecoveryWindowInDays int

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    Replicas []SecretReplicaArgs

    Configuration block to support secret replication. See details below.

    Tags map[string]string

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    description String

    Description of the secret.

    forceOverwriteReplicaSecret Boolean

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    kmsKeyId String

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    name String

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    namePrefix String

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    policy String

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    recoveryWindowInDays Integer

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    replicas List<SecretReplica>

    Configuration block to support secret replication. See details below.

    tags Map<String,String>

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    description string

    Description of the secret.

    forceOverwriteReplicaSecret boolean

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    kmsKeyId string

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    name string

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    namePrefix string

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    policy string

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    recoveryWindowInDays number

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    replicas SecretReplica[]

    Configuration block to support secret replication. See details below.

    tags {[key: string]: string}

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    description str

    Description of the secret.

    force_overwrite_replica_secret bool

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    kms_key_id str

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    name str

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    name_prefix str

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    policy str

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    recovery_window_in_days int

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    replicas Sequence[SecretReplicaArgs]

    Configuration block to support secret replication. See details below.

    tags Mapping[str, str]

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    description String

    Description of the secret.

    forceOverwriteReplicaSecret Boolean

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    kmsKeyId String

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    name String

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    namePrefix String

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    policy String

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    recoveryWindowInDays Number

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    replicas List<Property Map>

    Configuration block to support secret replication. See details below.

    tags Map<String>

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Secret resource produces the following output properties:

    Arn string

    ARN of the secret.

    Id string

    The provider-assigned unique ID for this managed resource.

    TagsAll Dictionary<string, string>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    Arn string

    ARN of the secret.

    Id string

    The provider-assigned unique ID for this managed resource.

    TagsAll map[string]string

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn String

    ARN of the secret.

    id String

    The provider-assigned unique ID for this managed resource.

    tagsAll Map<String,String>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn string

    ARN of the secret.

    id string

    The provider-assigned unique ID for this managed resource.

    tagsAll {[key: string]: string}

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn str

    ARN of the secret.

    id str

    The provider-assigned unique ID for this managed resource.

    tags_all Mapping[str, str]

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn String

    ARN of the secret.

    id String

    The provider-assigned unique ID for this managed resource.

    tagsAll Map<String>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    Look up Existing Secret Resource

    Get an existing Secret resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretState, opts?: CustomResourceOptions): Secret
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            description: Optional[str] = None,
            force_overwrite_replica_secret: Optional[bool] = None,
            kms_key_id: Optional[str] = None,
            name: Optional[str] = None,
            name_prefix: Optional[str] = None,
            policy: Optional[str] = None,
            recovery_window_in_days: Optional[int] = None,
            replicas: Optional[Sequence[SecretReplicaArgs]] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None) -> Secret
    func GetSecret(ctx *Context, name string, id IDInput, state *SecretState, opts ...ResourceOption) (*Secret, error)
    public static Secret Get(string name, Input<string> id, SecretState? state, CustomResourceOptions? opts = null)
    public static Secret get(String name, Output<String> id, SecretState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string

    ARN of the secret.

    Description string

    Description of the secret.

    ForceOverwriteReplicaSecret bool

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    KmsKeyId string

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    Name string

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    NamePrefix string

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    Policy string

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    RecoveryWindowInDays int

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    Replicas List<SecretReplica>

    Configuration block to support secret replication. See details below.

    Tags Dictionary<string, string>

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    TagsAll Dictionary<string, string>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    Arn string

    ARN of the secret.

    Description string

    Description of the secret.

    ForceOverwriteReplicaSecret bool

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    KmsKeyId string

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    Name string

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    NamePrefix string

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    Policy string

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    RecoveryWindowInDays int

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    Replicas []SecretReplicaArgs

    Configuration block to support secret replication. See details below.

    Tags map[string]string

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    TagsAll map[string]string

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn String

    ARN of the secret.

    description String

    Description of the secret.

    forceOverwriteReplicaSecret Boolean

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    kmsKeyId String

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    name String

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    namePrefix String

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    policy String

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    recoveryWindowInDays Integer

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    replicas List<SecretReplica>

    Configuration block to support secret replication. See details below.

    tags Map<String,String>

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll Map<String,String>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn string

    ARN of the secret.

    description string

    Description of the secret.

    forceOverwriteReplicaSecret boolean

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    kmsKeyId string

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    name string

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    namePrefix string

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    policy string

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    recoveryWindowInDays number

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    replicas SecretReplica[]

    Configuration block to support secret replication. See details below.

    tags {[key: string]: string}

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll {[key: string]: string}

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn str

    ARN of the secret.

    description str

    Description of the secret.

    force_overwrite_replica_secret bool

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    kms_key_id str

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    name str

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    name_prefix str

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    policy str

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    recovery_window_in_days int

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    replicas Sequence[SecretReplicaArgs]

    Configuration block to support secret replication. See details below.

    tags Mapping[str, str]

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tags_all Mapping[str, str]

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn String

    ARN of the secret.

    description String

    Description of the secret.

    forceOverwriteReplicaSecret Boolean

    Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.

    kmsKeyId String

    ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.

    name String

    Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

    namePrefix String

    Creates a unique name beginning with the specified prefix. Conflicts with name.

    policy String

    Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws.secretsmanager.SecretPolicy. To delete the policy, set it to "{}" (an empty JSON document).

    recoveryWindowInDays Number

    Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

    replicas List<Property Map>

    Configuration block to support secret replication. See details below.

    tags Map<String>

    Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll Map<String>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    Supporting Types

    SecretReplica, SecretReplicaArgs

    Region string

    Region for replicating the secret.

    KmsKeyId string

    ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.

    LastAccessedDate string

    Date that you last accessed the secret in the Region.

    Status string

    Status can be InProgress, Failed, or InSync.

    StatusMessage string

    Message such as Replication succeeded or Secret with this name already exists in this region.

    Region string

    Region for replicating the secret.

    KmsKeyId string

    ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.

    LastAccessedDate string

    Date that you last accessed the secret in the Region.

    Status string

    Status can be InProgress, Failed, or InSync.

    StatusMessage string

    Message such as Replication succeeded or Secret with this name already exists in this region.

    region String

    Region for replicating the secret.

    kmsKeyId String

    ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.

    lastAccessedDate String

    Date that you last accessed the secret in the Region.

    status String

    Status can be InProgress, Failed, or InSync.

    statusMessage String

    Message such as Replication succeeded or Secret with this name already exists in this region.

    region string

    Region for replicating the secret.

    kmsKeyId string

    ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.

    lastAccessedDate string

    Date that you last accessed the secret in the Region.

    status string

    Status can be InProgress, Failed, or InSync.

    statusMessage string

    Message such as Replication succeeded or Secret with this name already exists in this region.

    region str

    Region for replicating the secret.

    kms_key_id str

    ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.

    last_accessed_date str

    Date that you last accessed the secret in the Region.

    status str

    Status can be InProgress, Failed, or InSync.

    status_message str

    Message such as Replication succeeded or Secret with this name already exists in this region.

    region String

    Region for replicating the secret.

    kmsKeyId String

    ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.

    lastAccessedDate String

    Date that you last accessed the secret in the Region.

    status String

    Status can be InProgress, Failed, or InSync.

    statusMessage String

    Message such as Replication succeeded or Secret with this name already exists in this region.

    Import

    Using pulumi import, import aws_secretsmanager_secret using the secret Amazon Resource Name (ARN). For example:

     $ pulumi import aws:secretsmanager/secret:Secret example arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the aws Terraform Provider.

    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.3.0 published on Thursday, Sep 28, 2023 by Pulumi