1. Docs
  2. Reference
  3. API
  4. pulumi_aws
  5. secretsmanager

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

secretsmanager

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.secretsmanager.AwaitableGetSecretResult(arn=None, description=None, id=None, kms_key_id=None, name=None, policy=None, rotation_enabled=None, rotation_lambda_arn=None, rotation_rules=None, tags=None)
class pulumi_aws.secretsmanager.AwaitableGetSecretRotationResult(id=None, rotation_enabled=None, rotation_lambda_arn=None, rotation_rules=None, secret_id=None)
class pulumi_aws.secretsmanager.AwaitableGetSecretVersionResult(arn=None, id=None, secret_binary=None, secret_id=None, secret_string=None, version_id=None, version_stage=None, version_stages=None)
class pulumi_aws.secretsmanager.GetSecretResult(arn=None, description=None, id=None, kms_key_id=None, name=None, policy=None, rotation_enabled=None, rotation_lambda_arn=None, rotation_rules=None, tags=None)

A collection of values returned by getSecret.

arn = None

The Amazon Resource Name (ARN) of the secret.

description = None

A description of the secret.

id = None

The provider-assigned unique ID for this managed resource.

kms_key_id = None

The Key Management Service (KMS) Customer Master Key (CMK) associated with the secret.

policy = None

The resource-based policy document that’s attached to the secret.

rotation_enabled = None

Whether rotation is enabled or not.

rotation_lambda_arn = None

Rotation Lambda function Amazon Resource Name (ARN) if rotation is enabled.

rotation_rules = None

Rotation rules if rotation is enabled.

tags = None

Tags of the secret.

class pulumi_aws.secretsmanager.GetSecretRotationResult(id=None, rotation_enabled=None, rotation_lambda_arn=None, rotation_rules=None, secret_id=None)

A collection of values returned by getSecretRotation.

id = None

The provider-assigned unique ID for this managed resource.

rotation_enabled = None

The ARN of the secret.

rotation_lambda_arn = None

The decrypted part of the protected secret information that was originally provided as a string.

rotation_rules = None

The decrypted part of the protected secret information that was originally provided as a binary. Base64 encoded.

class pulumi_aws.secretsmanager.GetSecretVersionResult(arn=None, id=None, secret_binary=None, secret_id=None, secret_string=None, version_id=None, version_stage=None, version_stages=None)

A collection of values returned by getSecretVersion.

arn = None

The ARN of the secret.

id = None

The provider-assigned unique ID for this managed resource.

secret_binary = None

The decrypted part of the protected secret information that was originally provided as a binary. Base64 encoded.

secret_string = None

The decrypted part of the protected secret information that was originally provided as a string.

version_id = None

The unique identifier of this version of the secret.

class pulumi_aws.secretsmanager.Secret(resource_name, opts=None, description=None, kms_key_id=None, name=None, name_prefix=None, policy=None, recovery_window_in_days=None, rotation_lambda_arn=None, rotation_rules=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to manage AWS Secrets Manager secret metadata. To manage secret rotation, see the secretsmanager.SecretRotation resource. To manage a secret value, see the secretsmanager.SecretVersion resource.

import pulumi
import pulumi_aws as aws

example = aws.secretsmanager.Secret("example")

import pulumi
import pulumi_aws as aws

rotation_example = aws.secretsmanager.Secret("rotation-example",
    rotation_lambda_arn=aws_lambda_function["example"]["arn"],
    rotation_rules={
        "automaticallyAfterDays": 7,
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • description (pulumi.Input[str]) – A description of the secret.

  • kms_key*id (pulumi.Input[str]) –

    Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

  • name (pulumi.Input[str]) – Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /*+=.@-``Conflicts with`name_prefix``.

  • name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with``name``.

  • policy (pulumi.Input[str]) – A valid JSON document representing a [resource policy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html).

  • recovery_window_in_days (pulumi.Input[float]) – Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be``0to force deletion without recovery or range from7to30days. The default value is30``.

  • rotation_lambda_arn (pulumi.Input[str]) – Specifies the ARN of the Lambda function that can rotate the secret. Use the``secretsmanager.SecretRotation``resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

  • rotation_rules (pulumi.Input[dict]) – A structure that defines the rotation configuration for this secret. Defined below. Use the``secretsmanager.SecretRotation` resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

  • tags (pulumi.Input[dict]) – Specifies a key-value map of user-defined tags that are attached to the secret.

The rotation_rules object supports the following:

  • automaticallyAfterDays (pulumi.Input[float]) - Specifies the number of days between automatic scheduled rotations of the secret.

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN) of the secret.

description: pulumi.Output[str] = None

A description of the secret.

kms_key_id: pulumi.Output[str] = None

Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

name: pulumi.Output[str] = None

Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.

name_prefix: pulumi.Output[str] = None

Creates a unique name beginning with the specified prefix. Conflicts with name.

policy: pulumi.Output[str] = None

A valid JSON document representing a resource policy.

recovery_window_in_days: pulumi.Output[float] = None

Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.

rotation_enabled: pulumi.Output[bool] = None

Specifies whether automatic rotation is enabled for this secret.

rotation_lambda_arn: pulumi.Output[str] = None

Specifies the ARN of the Lambda function that can rotate the secret. Use the secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

rotation_rules: pulumi.Output[dict] = None

A structure that defines the rotation configuration for this secret. Defined below. Use the secretsmanager.SecretRotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

  • automaticallyAfterDays (float) - Specifies the number of days between automatic scheduled rotations of the secret.

tags: pulumi.Output[dict] = None

Specifies a key-value map of user-defined tags that are attached to the secret.

static get(resource_name, id, opts=None, arn=None, description=None, kms_key_id=None, name=None, name_prefix=None, policy=None, recovery_window_in_days=None, rotation_enabled=None, rotation_lambda_arn=None, rotation_rules=None, tags=None)

Get an existing Secret resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN) of the secret.

  • description (pulumi.Input[str]) – A description of the secret.

  • kms_key*id (pulumi.Input[str]) –

    Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. If you don’t specify this value, then Secrets Manager defaults to using the AWS account’s default CMK (the one named aws/secretsmanager). If the default KMS CMK with that name doesn’t yet exist, then AWS Secrets Manager creates it for you automatically the first time.

  • name (pulumi.Input[str]) – Specifies the friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /*+=.@-``Conflicts with`name_prefix``.

  • name_prefix (pulumi.Input[str]) – Creates a unique name beginning with the specified prefix. Conflicts with``name``.

  • policy (pulumi.Input[str]) – A valid JSON document representing a [resource policy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html).

  • recovery_window_in_days (pulumi.Input[float]) – Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be``0to force deletion without recovery or range from7to30days. The default value is30``.

  • rotation_enabled (pulumi.Input[bool]) – Specifies whether automatic rotation is enabled for this secret.

  • rotation_lambda_arn (pulumi.Input[str]) – Specifies the ARN of the Lambda function that can rotate the secret. Use the``secretsmanager.SecretRotation``resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

  • rotation_rules (pulumi.Input[dict]) – A structure that defines the rotation configuration for this secret. Defined below. Use the``secretsmanager.SecretRotation` resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.

  • tags (pulumi.Input[dict]) – Specifies a key-value map of user-defined tags that are attached to the secret.

The rotation_rules object supports the following:

  • automaticallyAfterDays (pulumi.Input[float]) - Specifies the number of days between automatic scheduled rotations of the secret.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.secretsmanager.SecretRotation(resource_name, opts=None, rotation_lambda_arn=None, rotation_rules=None, secret_id=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to manage AWS Secrets Manager secret rotation. To manage a secret, see the ``secretsmanager.Secret` resource <https://www.terraform.io/docs/providers/aws/r/secretsmanager_secret.html>`_. To manage a secret value, see the ``secretsmanager.SecretVersion` resource <https://www.terraform.io/docs/providers/aws/r/secretsmanager_secret_version.html>`_.

import pulumi
import pulumi_aws as aws

example = aws.secretsmanager.SecretRotation("example",
    rotation_lambda_arn=aws_lambda_function["example"]["arn"],
    rotation_rules={
        "automaticallyAfterDays": 30,
    },
    secret_id=aws_secretsmanager_secret["example"]["id"])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • rotation_lambda_arn (pulumi.Input[str]) – Specifies the ARN of the Lambda function that can rotate the secret.

  • rotation_rules (pulumi.Input[dict]) – A structure that defines the rotation configuration for this secret. Defined below.

  • secret_id (pulumi.Input[str]) – Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

The rotation_rules object supports the following:

  • automaticallyAfterDays (pulumi.Input[float]) - Specifies the number of days between automatic scheduled rotations of the secret.

rotation_enabled: pulumi.Output[bool] = None

Specifies whether automatic rotation is enabled for this secret.

rotation_lambda_arn: pulumi.Output[str] = None

Specifies the ARN of the Lambda function that can rotate the secret.

rotation_rules: pulumi.Output[dict] = None

A structure that defines the rotation configuration for this secret. Defined below.

  • automaticallyAfterDays (float) - Specifies the number of days between automatic scheduled rotations of the secret.

secret_id: pulumi.Output[str] = None

Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

static get(resource_name, id, opts=None, rotation_enabled=None, rotation_lambda_arn=None, rotation_rules=None, secret_id=None, tags=None)

Get an existing SecretRotation resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • rotation_enabled (pulumi.Input[bool]) – Specifies whether automatic rotation is enabled for this secret.

  • rotation_lambda_arn (pulumi.Input[str]) – Specifies the ARN of the Lambda function that can rotate the secret.

  • rotation_rules (pulumi.Input[dict]) – A structure that defines the rotation configuration for this secret. Defined below.

  • secret_id (pulumi.Input[str]) – Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

The rotation_rules object supports the following:

  • automaticallyAfterDays (pulumi.Input[float]) - Specifies the number of days between automatic scheduled rotations of the secret.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.secretsmanager.SecretVersion(resource_name, opts=None, secret_binary=None, secret_id=None, secret_string=None, version_stages=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to manage AWS Secrets Manager secret version including its secret value. To manage secret metadata, see the secretsmanager.Secret resource.

NOTE: If the AWSCURRENT staging label is present on this version during resource deletion, that label cannot be removed and will be skipped to prevent errors when fully deleting the secret. That label will leave this secret version active even after the resource is deleted from this provider unless the secret itself is deleted. Move the AWSCURRENT staging label before or after deleting this resource from this provider to fully trigger version deprecation if necessary.

import pulumi
import pulumi_aws as aws

example = aws.secretsmanager.SecretVersion("example",
    secret_id=aws_secretsmanager_secret["example"]["id"],
    secret_string="example-string-to-protect")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • secret_binary (pulumi.Input[str]) – Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secret_string is not set. Needs to be encoded to base64.

  • secret_id (pulumi.Input[str]) – Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

  • secret_string (pulumi.Input[str]) – Specifies text data that you want to encrypt and store in this version of the secret. This is required if secret_binary is not set.

  • version_stages (pulumi.Input[list]) – Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that’s already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.

arn: pulumi.Output[str] = None

The ARN of the secret.

secret_binary: pulumi.Output[str] = None

Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secret_string is not set. Needs to be encoded to base64.

secret_id: pulumi.Output[str] = None

Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

secret_string: pulumi.Output[str] = None

Specifies text data that you want to encrypt and store in this version of the secret. This is required if secret_binary is not set.

version_id: pulumi.Output[str] = None

The unique identifier of the version of the secret.

version_stages: pulumi.Output[list] = None

Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that’s already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.

static get(resource_name, id, opts=None, arn=None, secret_binary=None, secret_id=None, secret_string=None, version_id=None, version_stages=None)

Get an existing SecretVersion resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The ARN of the secret.

  • secret_binary (pulumi.Input[str]) – Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secret_string is not set. Needs to be encoded to base64.

  • secret_id (pulumi.Input[str]) – Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.

  • secret_string (pulumi.Input[str]) – Specifies text data that you want to encrypt and store in this version of the secret. This is required if secret_binary is not set.

  • version_id (pulumi.Input[str]) – The unique identifier of the version of the secret.

  • version_stages (pulumi.Input[list]) – Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that’s already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_aws.secretsmanager.get_secret(arn=None, name=None, opts=None)

Retrieve metadata information about a Secrets Manager secret. To retrieve a secret value, see the secretsmanager.SecretVersion.

import pulumi
import pulumi_aws as aws

by_arn = aws.secretsmanager.get_secret(arn="arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456")

import pulumi
import pulumi_aws as aws

by_name = aws.secretsmanager.get_secret(name="example")
Parameters

  • arn (str) – The Amazon Resource Name (ARN) of the secret to retrieve.

  • name (str) – The name of the secret to retrieve.

pulumi_aws.secretsmanager.get_secret_rotation(secret_id=None, opts=None)

Retrieve information about a Secrets Manager secret rotation. To retrieve secret metadata, see the ``secretsmanager.Secret` data source <https://www.terraform.io/docs/providers/aws/d/secretsmanager_secret.html>`_. To retrieve a secret value, see the ``secretsmanager.SecretVersion` data source <https://www.terraform.io/docs/providers/aws/d/secretsmanager_secret_version.html>`_.

import pulumi
import pulumi_aws as aws

example = aws.secretsmanager.get_secret_rotation(secret_id=data["aws_secretsmanager_secret"]["example"]["id"])
Parameters

secret_id (str) – Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

pulumi_aws.secretsmanager.get_secret_version(secret_id=None, version_id=None, version_stage=None, opts=None)

Retrieve information about a Secrets Manager secret version, including its secret value. To retrieve secret metadata, see the secretsmanager.Secret data source.

import pulumi
import pulumi_aws as aws

example = aws.secretsmanager.get_secret_version(secret_id=data["aws_secretsmanager_secret"]["example"]["id"])

import pulumi
import pulumi_aws as aws

by_version_stage = aws.secretsmanager.get_secret_version(secret_id=data["aws_secretsmanager_secret"]["example"]["id"],
    version_stage="example")
Parameters

  • secret_id (str) – Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

  • version_id (str) – Specifies the unique identifier of the version of the secret that you want to retrieve. Overrides version_stage.

  • version_stage (str) – Specifies the secret version that you want to retrieve by the staging label attached to the version. Defaults to AWSCURRENT.