1. Docs
  2. Reference
  3. API
  4. AWS
  5. secretsmanager
  6. Secret

Secret

Provides a resource to manage AWS Secrets Manager secret metadata. To manage secret rotation, see the aws.secretsmanager.SecretRotation resource. To manage a secret value, see the aws.secretsmanager.SecretVersion resource.

Example Usage

Basic

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.SecretsManager.Secret("example", new Aws.SecretsManager.SecretArgs
        {
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/secretsmanager"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := secretsmanager.NewSecret(ctx, "example", nil)
        if err != nil {
            return err
        }
        return nil
    })
}
import pulumi
import pulumi_aws as aws

example = aws.secretsmanager.Secret("example")
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.secretsmanager.Secret("example", {});

Rotation Configuration

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var rotation_example = new Aws.SecretsManager.Secret("rotation-example", new Aws.SecretsManager.SecretArgs
        {
            RotationLambdaArn = aws_lambda_function.Example.Arn,
            RotationRules = new Aws.SecretsManager.Inputs.SecretRotationRulesArgs
            {
                AutomaticallyAfterDays = 7,
            },
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/secretsmanager"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := secretsmanager.NewSecret(ctx, "rotation_example", &secretsmanager.SecretArgs{
            RotationLambdaArn: pulumi.String(aws_lambda_function.Example.Arn),
            RotationRules: &secretsmanager.SecretRotationRulesArgs{
                AutomaticallyAfterDays: pulumi.Int(7),
            },
        })
        if err != nil {
            return err
        }
        return nil
    })
}
import pulumi
import pulumi_aws as aws

rotation_example = aws.secretsmanager.Secret("rotation-example",
    rotation_lambda_arn=aws_lambda_function["example"]["arn"],
    rotation_rules={
        "automaticallyAfterDays": 7,
    })
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const rotation_example = new aws.secretsmanager.Secret("rotation-example", {
    rotationLambdaArn: aws_lambda_function_example.arn,
    rotationRules: {
        automaticallyAfterDays: 7,
    },
});

Create a Secret Resource

new Secret(name: string, args?: SecretArgs, opts?: CustomResourceOptions);
def Secret(resource_name, opts=None, description=None, kms_key_id=None, name=None, name_prefix=None, policy=None, recovery_window_in_days=None, rotation_lambda_arn=None, rotation_rules=None, tags=None, __props__=None);
func NewSecret(ctx *Context, name string, args *SecretArgs, opts ...ResourceOption) (*Secret, error)
public Secret(string name, SecretArgs? args = null, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args SecretArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
opts ResourceOptions
A bag of options that control this resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args SecretArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args SecretArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

Secret Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Secret resource accepts the following input properties:

Description string

A description of the secret.

KmsKeyId string

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

Name string

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

Policy string

A valid JSON document representing a resource policy.

RecoveryWindowInDays int

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

RotationLambdaArn string

Specifies the ARN of the Lambda function that can rotate the secret. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

RotationRules SecretRotationRulesArgs

A structure that defines the rotation configuration for this secret. Defined below. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

Tags Dictionary<string, string>

Specifies a key-value map of user-defined tags that are attached to the secret.

Description string

A description of the secret.

KmsKeyId string

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

Name string

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

Policy string

A valid JSON document representing a resource policy.

RecoveryWindowInDays int

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

RotationLambdaArn string

Specifies the ARN of the Lambda function that can rotate the secret. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

RotationRules SecretRotationRules

A structure that defines the rotation configuration for this secret. Defined below. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

Tags map[string]string

Specifies a key-value map of user-defined tags that are attached to the secret.

description string

A description of the secret.

kmsKeyId string

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

name string

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

namePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

policy string

A valid JSON document representing a resource policy.

recoveryWindowInDays number

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

rotationLambdaArn string

Specifies the ARN of the Lambda function that can rotate the secret. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

rotationRules SecretRotationRules

A structure that defines the rotation configuration for this secret. Defined below. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

tags {[key: string]: string}

Specifies a key-value map of user-defined tags that are attached to the secret.

description str

A description of the secret.

kms_key_id str

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

name str

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

name_prefix str

Creates a unique name beginning with the specified prefix. Conflicts with name.

policy str

A valid JSON document representing a resource policy.

recovery_window_in_days float

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

rotation_lambda_arn str

Specifies the ARN of the Lambda function that can rotate the secret. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

rotation_rules Dict[SecretRotationRules]

A structure that defines the rotation configuration for this secret. Defined below. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

tags Dict[str, str]

Specifies a key-value map of user-defined tags that are attached to the secret.

Outputs

All input properties are implicitly available as output properties. Additionally, the Secret resource produces the following output properties:

Arn string

Amazon Resource Name (ARN) of the secret.

Id string
The provider-assigned unique ID for this managed resource.
RotationEnabled bool

Specifies whether automatic rotation is enabled for this secret.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

Arn string

Amazon Resource Name (ARN) of the secret.

Id string
The provider-assigned unique ID for this managed resource.
RotationEnabled bool

Specifies whether automatic rotation is enabled for this secret.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

arn string

Amazon Resource Name (ARN) of the secret.

id string
The provider-assigned unique ID for this managed resource.
rotationEnabled boolean

Specifies whether automatic rotation is enabled for this secret.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

arn str

Amazon Resource Name (ARN) of the secret.

id str
The provider-assigned unique ID for this managed resource.
rotation_enabled bool

Specifies whether automatic rotation is enabled for this secret.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

Look up an Existing Secret Resource

Get an existing Secret resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretState, opts?: CustomResourceOptions): Secret
static get(resource_name, id, opts=None, arn=None, description=None, kms_key_id=None, name=None, name_prefix=None, policy=None, recovery_window_in_days=None, rotation_enabled=None, rotation_lambda_arn=None, rotation_rules=None, tags=None, __props__=None);
func GetSecret(ctx *Context, name string, id IDInput, state *SecretState, opts ...ResourceOption) (*Secret, error)
public static Secret Get(string name, Input<string> id, SecretState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string

Amazon Resource Name (ARN) of the secret.

Description string

A description of the secret.

KmsKeyId string

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

Name string

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

Policy string

A valid JSON document representing a resource policy.

RecoveryWindowInDays int

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

RotationEnabled bool

Specifies whether automatic rotation is enabled for this secret.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

RotationLambdaArn string

Specifies the ARN of the Lambda function that can rotate the secret. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

RotationRules SecretRotationRulesArgs

A structure that defines the rotation configuration for this secret. Defined below. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

Tags Dictionary<string, string>

Specifies a key-value map of user-defined tags that are attached to the secret.

Arn string

Amazon Resource Name (ARN) of the secret.

Description string

A description of the secret.

KmsKeyId string

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

Name string

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

Policy string

A valid JSON document representing a resource policy.

RecoveryWindowInDays int

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

RotationEnabled bool

Specifies whether automatic rotation is enabled for this secret.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

RotationLambdaArn string

Specifies the ARN of the Lambda function that can rotate the secret. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

RotationRules SecretRotationRules

A structure that defines the rotation configuration for this secret. Defined below. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

Tags map[string]string

Specifies a key-value map of user-defined tags that are attached to the secret.

arn string

Amazon Resource Name (ARN) of the secret.

description string

A description of the secret.

kmsKeyId string

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

name string

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

namePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

policy string

A valid JSON document representing a resource policy.

recoveryWindowInDays number

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

rotationEnabled boolean

Specifies whether automatic rotation is enabled for this secret.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

rotationLambdaArn string

Specifies the ARN of the Lambda function that can rotate the secret. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

rotationRules SecretRotationRules

A structure that defines the rotation configuration for this secret. Defined below. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

tags {[key: string]: string}

Specifies a key-value map of user-defined tags that are attached to the secret.

arn str

Amazon Resource Name (ARN) of the secret.

description str

A description of the secret.

kms_key_id str

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

name str

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

name_prefix str

Creates a unique name beginning with the specified prefix. Conflicts with name.

policy str

A valid JSON document representing a resource policy.

recovery_window_in_days float

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

rotation_enabled bool

Specifies whether automatic rotation is enabled for this secret.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

rotation_lambda_arn str

Specifies the ARN of the Lambda function that can rotate the secret. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

rotation_rules Dict[SecretRotationRules]

A structure that defines the rotation configuration for this secret. Defined below. Use the aws.secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

Deprecated: Use the aws_secretsmanager_secret_rotation resource instead

tags Dict[str, str]

Specifies a key-value map of user-defined tags that are attached to the secret.

Supporting Types

SecretRotationRules

See the input and output API doc for this type.

See the input and output API doc for this type.

See the input and output API doc for this type.

AutomaticallyAfterDays int

Specifies the number of days between automatic scheduled rotations of the secret.

AutomaticallyAfterDays int

Specifies the number of days between automatic scheduled rotations of the secret.

automaticallyAfterDays number

Specifies the number of days between automatic scheduled rotations of the secret.

automaticallyAfterDays float

Specifies the number of days between automatic scheduled rotations of the secret.

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.