1. Docs
  2. Reference
  3. API
  4. @pulumi/aws
  5. secretsmanager

Module secretsmanager

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

Resources

Functions

Others

Resources

Resource Secret

class Secret extends CustomResource

Provides a resource to manage AWS Secrets Manager secret metadata. To manage a secret value, see the aws.secretsmanager.SecretVersion resource.

Example Usage

Basic
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.secretsmanager.Secret("example", {});
Rotation Configuration
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const rotation_example = new aws.secretsmanager.Secret("rotation-example", {
    rotationLambdaArn: aws_lambda_function_example.arn,
    rotationRules: {
        automaticallyAfterDays: 7,
    },
});

constructor

new Secret(name: string, args?: SecretArgs, opts?: pulumi.CustomResourceOptions)

Create a Secret resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretState, opts?: pulumi.CustomResourceOptions): Secret

Get an existing Secret resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Secret

Returns true if the given object is an instance of Secret. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

Amazon Resource Name (ARN) of the secret.

property description

public description: pulumi.Output<string | undefined>;

A description of the secret.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property kmsKeyId

public kmsKeyId: pulumi.Output<string | undefined>;

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

property name

public name: pulumi.Output<string>;

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with namePrefix.

property namePrefix

public namePrefix: pulumi.Output<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

public policy: pulumi.Output<string | undefined>;

A valid JSON document representing a resource policy.

property recoveryWindowInDays

public recoveryWindowInDays: pulumi.Output<number | undefined>;

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

property rotationEnabled

public rotationEnabled: pulumi.Output<boolean>;

Specifies whether automatic rotation is enabled for this secret.

property rotationLambdaArn

public rotationLambdaArn: pulumi.Output<string | undefined>;

Specifies the ARN of the Lambda function that can rotate the secret.

property rotationRules

public rotationRules: pulumi.Output<SecretRotationRules | undefined>;

A structure that defines the rotation configuration for this secret. Defined below.

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

Specifies a key-value map of user-defined tags that are attached to the secret.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretVersion

class SecretVersion extends CustomResource

Provides a resource to manage AWS Secrets Manager secret version including its secret value. To manage secret metadata, see the aws.secretsmanager.Secret resource.

NOTE: If the AWSCURRENT staging label is present on this version during resource deletion, that label cannot be removed and will be skipped to prevent errors when fully deleting the secret. That label will leave this secret version active even after the resource is deleted from this provider unless the secret itself is deleted. Move the AWSCURRENT staging label before or after deleting this resource from this provider to fully trigger version deprecation if necessary.

Example Usage

Simple String Value
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.secretsmanager.SecretVersion("example", {
    secretId: aws_secretsmanager_secret_example.id,
    secretString: "example-string-to-protect",
});
Key-Value Pairs
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const config = new pulumi.Config();
// The map here can come from other supported configurations
// like locals, resource attribute, map() built-in, etc.
const example = config.get("example") || {
    key1: "value1",
    key2: "value2",
};

const exampleSecretVersion = new aws.secretsmanager.SecretVersion("example", {
    secretId: aws_secretsmanager_secret_example.id,
    secretString: (() => {
        throw "tf2pulumi error: NYI: call to jsonencode";
        return (() => { throw "NYI: call to jsonencode"; })();
    })(),
});

constructor

new SecretVersion(name: string, args: SecretVersionArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretVersion resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretVersionState, opts?: pulumi.CustomResourceOptions): SecretVersion

Get an existing SecretVersion resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretVersion

Returns true if the given object is an instance of SecretVersion. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN of the secret.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property secretBinary

public secretBinary: pulumi.Output<string | undefined>;

Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secretString is not set. Needs to be encoded to base64.

property secretId

public secretId: pulumi.Output<string>;

Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

property secretString

public secretString: pulumi.Output<string | undefined>;

Specifies text data that you want to encrypt and store in this version of the secret. This is required if secretBinary is not set.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property versionId

public versionId: pulumi.Output<string>;

The unique identifier of the version of the secret.

property versionStages

public versionStages: pulumi.Output<string[]>;

Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that’s already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.

Functions

Function getSecret

getSecret(args?: GetSecretArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretResult>

Retrieve metadata information about a Secrets Manager secret. To retrieve a secret value, see the aws.secretsmanager.SecretVersion.

Example Usage

ARN
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const by_arn = pulumi.output(aws.secretsmanager.getSecret({
    arn: "arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456",
}, { async: true }));
Name
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const by_name = pulumi.output(aws.secretsmanager.getSecret({
    name: "example",
}, { async: true }));

Function getSecretVersion

getSecretVersion(args: GetSecretVersionArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretVersionResult>

Retrieve information about a Secrets Manager secret version, including its secret value. To retrieve secret metadata, see the aws.secretsmanager.Secret data source.

Example Usage

Retrieve Current Secret Version
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = aws_secretsmanager_secret_example.id.apply(id => aws.secretsmanager.getSecretVersion({
    secretId: id,
}, { async: true }));
Retrieve Specific Secret Version
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const by_version_stage = aws_secretsmanager_secret_example.id.apply(id => aws.secretsmanager.getSecretVersion({
    secretId: id,
    versionStage: "example",
}, { async: true }));

Others

interface GetSecretArgs

interface GetSecretArgs

A collection of arguments for invoking getSecret.

property arn

arn?: undefined | string;

The Amazon Resource Name (ARN) of the secret to retrieve.

property name

name?: undefined | string;

The name of the secret to retrieve.

interface GetSecretResult

interface GetSecretResult

A collection of values returned by getSecret.

property arn

arn: string;

The Amazon Resource Name (ARN) of the secret.

property description

description: string;

A description of the secret.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property kmsKeyId

kmsKeyId: string;

The Key Management Service (KMS) Customer Master Key (CMK) associated with the secret.

property name

name: string;

property policy

policy: string;

The resource-based policy document that’s attached to the secret.

property rotationEnabled

rotationEnabled: boolean;

Whether rotation is enabled or not.

property rotationLambdaArn

rotationLambdaArn: string;

Rotation Lambda function Amazon Resource Name (ARN) if rotation is enabled.

property rotationRules

rotationRules: GetSecretRotationRule[];

Rotation rules if rotation is enabled.

property tags

tags: {[key: string]: any};

Tags of the secret.

interface GetSecretVersionArgs

interface GetSecretVersionArgs

A collection of arguments for invoking getSecretVersion.

property secretId

secretId: string;

Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

property versionId

versionId?: undefined | string;

Specifies the unique identifier of the version of the secret that you want to retrieve. Overrides versionStage.

property versionStage

versionStage?: undefined | string;

Specifies the secret version that you want to retrieve by the staging label attached to the version. Defaults to AWSCURRENT.

interface GetSecretVersionResult

interface GetSecretVersionResult

A collection of values returned by getSecretVersion.

property arn

arn: string;

The ARN of the secret.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property secretBinary

secretBinary: string;

The decrypted part of the protected secret information that was originally provided as a binary. Base64 encoded.

property secretId

secretId: string;

property secretString

secretString: string;

The decrypted part of the protected secret information that was originally provided as a string.

property versionId

versionId: string;

The unique identifier of this version of the secret.

property versionStage

versionStage?: undefined | string;

property versionStages

versionStages: string[];

interface SecretArgs

interface SecretArgs

The set of arguments for constructing a Secret resource.

property description

description?: pulumi.Input<string>;

A description of the secret.

property kmsKeyId

kmsKeyId?: pulumi.Input<string>;

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

property name

name?: pulumi.Input<string>;

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with namePrefix.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy?: pulumi.Input<string>;

A valid JSON document representing a resource policy.

property recoveryWindowInDays

recoveryWindowInDays?: pulumi.Input<number>;

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

property rotationLambdaArn

rotationLambdaArn?: pulumi.Input<string>;

Specifies the ARN of the Lambda function that can rotate the secret.

property rotationRules

rotationRules?: pulumi.Input<SecretRotationRules>;

A structure that defines the rotation configuration for this secret. Defined below.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

Specifies a key-value map of user-defined tags that are attached to the secret.

interface SecretState

interface SecretState

Input properties used for looking up and filtering Secret resources.

property arn

arn?: pulumi.Input<string>;

Amazon Resource Name (ARN) of the secret.

property description

description?: pulumi.Input<string>;

A description of the secret.

property kmsKeyId

kmsKeyId?: pulumi.Input<string>;

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

property name

name?: pulumi.Input<string>;

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with namePrefix.

property namePrefix

namePrefix?: pulumi.Input<string>;

Creates a unique name beginning with the specified prefix. Conflicts with name.

property policy

policy?: pulumi.Input<string>;

A valid JSON document representing a resource policy.

property recoveryWindowInDays

recoveryWindowInDays?: pulumi.Input<number>;

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

property rotationEnabled

rotationEnabled?: pulumi.Input<boolean>;

Specifies whether automatic rotation is enabled for this secret.

property rotationLambdaArn

rotationLambdaArn?: pulumi.Input<string>;

Specifies the ARN of the Lambda function that can rotate the secret.

property rotationRules

rotationRules?: pulumi.Input<SecretRotationRules>;

A structure that defines the rotation configuration for this secret. Defined below.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

Specifies a key-value map of user-defined tags that are attached to the secret.

interface SecretVersionArgs

interface SecretVersionArgs

The set of arguments for constructing a SecretVersion resource.

property secretBinary

secretBinary?: pulumi.Input<string>;

Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secretString is not set. Needs to be encoded to base64.

property secretId

secretId: pulumi.Input<string>;

Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

property secretString

secretString?: pulumi.Input<string>;

Specifies text data that you want to encrypt and store in this version of the secret. This is required if secretBinary is not set.

property versionStages

versionStages?: pulumi.Input<pulumi.Input<string>[]>;

Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that’s already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.

interface SecretVersionState

interface SecretVersionState

Input properties used for looking up and filtering SecretVersion resources.

property arn

arn?: pulumi.Input<string>;

The ARN of the secret.

property secretBinary

secretBinary?: pulumi.Input<string>;

Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secretString is not set. Needs to be encoded to base64.

property secretId

secretId?: pulumi.Input<string>;

Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

property secretString

secretString?: pulumi.Input<string>;

Specifies text data that you want to encrypt and store in this version of the secret. This is required if secretBinary is not set.

property versionId

versionId?: pulumi.Input<string>;

The unique identifier of the version of the secret.

property versionStages

versionStages?: pulumi.Input<pulumi.Input<string>[]>;

Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that’s already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.