We recommend new projects start with resources from the AWS provider.
aws-native.secretsmanager.Secret
Explore with Pulumi AI
We recommend new projects start with resources from the AWS provider.
Creates a new secret. A secret can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager. For RDS master user credentials, see AWS::RDS::DBCluster MasterUserSecret. For RS admin user credentials, see AWS::Redshift::Cluster. To retrieve a secret in a CFNshort template, use a dynamic reference. For more information, see Retrieve a secret in an resource. For information about creating a secret in the console, see Create a secret. For information about creating a secret using the CLI or SDK, see CreateSecret. For information about retrieving a secret in code, see Retrieve secrets from Secrets Manager.
Example Usage
Example
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AwsNative = Pulumi.AwsNative;
return await Deployment.RunAsync(() =>
{
var myRedshiftSecret = new AwsNative.SecretsManager.Secret("myRedshiftSecret", new()
{
Description = "This is a Secrets Manager secret for a Redshift cluster",
GenerateSecretString = new AwsNative.SecretsManager.Inputs.SecretGenerateSecretStringArgs
{
SecretStringTemplate = "{\"username\": \"admin\"}",
GenerateStringKey = "password",
PasswordLength = 16,
ExcludeCharacters = "\"'@/\\",
},
});
var myRedshiftCluster = new AwsNative.Redshift.Cluster("myRedshiftCluster", new()
{
DbName = "myjsondb",
MasterUsername = myRedshiftSecret.Id.Apply(id => $"{{{{resolve:secretsmanager:{id}::username}}}}"),
MasterUserPassword = myRedshiftSecret.Id.Apply(id => $"{{{{resolve:secretsmanager:{id}::password}}}}"),
NodeType = "ds2.xlarge",
ClusterType = "single-node",
});
var secretRedshiftAttachment = new AwsNative.SecretsManager.SecretTargetAttachment("secretRedshiftAttachment", new()
{
SecretId = myRedshiftSecret.Id,
TargetId = myRedshiftCluster.Id,
TargetType = "AWS::Redshift::Cluster",
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws-native/sdk/go/aws/redshift"
"github.com/pulumi/pulumi-aws-native/sdk/go/aws/secretsmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myRedshiftSecret, err := secretsmanager.NewSecret(ctx, "myRedshiftSecret", &secretsmanager.SecretArgs{
Description: pulumi.String("This is a Secrets Manager secret for a Redshift cluster"),
GenerateSecretString: &secretsmanager.SecretGenerateSecretStringArgs{
SecretStringTemplate: pulumi.String("{\"username\": \"admin\"}"),
GenerateStringKey: pulumi.String("password"),
PasswordLength: pulumi.Int(16),
ExcludeCharacters: pulumi.String("\"'@/\\"),
},
})
if err != nil {
return err
}
myRedshiftCluster, err := redshift.NewCluster(ctx, "myRedshiftCluster", &redshift.ClusterArgs{
DbName: pulumi.String("myjsondb"),
MasterUsername: myRedshiftSecret.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("{{resolve:secretsmanager:%v::username}}", id), nil
}).(pulumi.StringOutput),
MasterUserPassword: myRedshiftSecret.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("{{resolve:secretsmanager:%v::password}}", id), nil
}).(pulumi.StringOutput),
NodeType: pulumi.String("ds2.xlarge"),
ClusterType: pulumi.String("single-node"),
})
if err != nil {
return err
}
_, err = secretsmanager.NewSecretTargetAttachment(ctx, "secretRedshiftAttachment", &secretsmanager.SecretTargetAttachmentArgs{
SecretId: myRedshiftSecret.ID(),
TargetId: myRedshiftCluster.ID(),
TargetType: pulumi.String("AWS::Redshift::Cluster"),
})
if err != nil {
return err
}
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_native as aws_native
my_redshift_secret = aws_native.secretsmanager.Secret("myRedshiftSecret",
description="This is a Secrets Manager secret for a Redshift cluster",
generate_secret_string={
"secret_string_template": "{\"username\": \"admin\"}",
"generate_string_key": "password",
"password_length": 16,
"exclude_characters": "\"'@/\\",
})
my_redshift_cluster = aws_native.redshift.Cluster("myRedshiftCluster",
db_name="myjsondb",
master_username=my_redshift_secret.id.apply(lambda id: f"{{{{resolve:secretsmanager:{id}::username}}}}"),
master_user_password=my_redshift_secret.id.apply(lambda id: f"{{{{resolve:secretsmanager:{id}::password}}}}"),
node_type="ds2.xlarge",
cluster_type="single-node")
secret_redshift_attachment = aws_native.secretsmanager.SecretTargetAttachment("secretRedshiftAttachment",
secret_id=my_redshift_secret.id,
target_id=my_redshift_cluster.id,
target_type="AWS::Redshift::Cluster")
import * as pulumi from "@pulumi/pulumi";
import * as aws_native from "@pulumi/aws-native";
const myRedshiftSecret = new aws_native.secretsmanager.Secret("myRedshiftSecret", {
description: "This is a Secrets Manager secret for a Redshift cluster",
generateSecretString: {
secretStringTemplate: "{\"username\": \"admin\"}",
generateStringKey: "password",
passwordLength: 16,
excludeCharacters: "\"'@/\\",
},
});
const myRedshiftCluster = new aws_native.redshift.Cluster("myRedshiftCluster", {
dbName: "myjsondb",
masterUsername: pulumi.interpolate`{{resolve:secretsmanager:${myRedshiftSecret.id}::username}}`,
masterUserPassword: pulumi.interpolate`{{resolve:secretsmanager:${myRedshiftSecret.id}::password}}`,
nodeType: "ds2.xlarge",
clusterType: "single-node",
});
const secretRedshiftAttachment = new aws_native.secretsmanager.SecretTargetAttachment("secretRedshiftAttachment", {
secretId: myRedshiftSecret.id,
targetId: myRedshiftCluster.id,
targetType: "AWS::Redshift::Cluster",
});
Coming soon!
Example
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AwsNative = Pulumi.AwsNative;
return await Deployment.RunAsync(() =>
{
var myRedshiftSecret = new AwsNative.SecretsManager.Secret("myRedshiftSecret", new()
{
Description = "This is a Secrets Manager secret for a Redshift cluster",
GenerateSecretString = new AwsNative.SecretsManager.Inputs.SecretGenerateSecretStringArgs
{
SecretStringTemplate = "{\"username\": \"admin\"}",
GenerateStringKey = "password",
PasswordLength = 16,
ExcludeCharacters = "\"'@/\\",
},
});
var myRedshiftCluster = new AwsNative.Redshift.Cluster("myRedshiftCluster", new()
{
DbName = "myjsondb",
MasterUsername = myRedshiftSecret.Id.Apply(id => $"{{{{resolve:secretsmanager:{id}::username}}}}"),
MasterUserPassword = myRedshiftSecret.Id.Apply(id => $"{{{{resolve:secretsmanager:{id}::password}}}}"),
NodeType = "ds2.xlarge",
ClusterType = "single-node",
});
var secretRedshiftAttachment = new AwsNative.SecretsManager.SecretTargetAttachment("secretRedshiftAttachment", new()
{
SecretId = myRedshiftSecret.Id,
TargetId = myRedshiftCluster.Id,
TargetType = "AWS::Redshift::Cluster",
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws-native/sdk/go/aws/redshift"
"github.com/pulumi/pulumi-aws-native/sdk/go/aws/secretsmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myRedshiftSecret, err := secretsmanager.NewSecret(ctx, "myRedshiftSecret", &secretsmanager.SecretArgs{
Description: pulumi.String("This is a Secrets Manager secret for a Redshift cluster"),
GenerateSecretString: &secretsmanager.SecretGenerateSecretStringArgs{
SecretStringTemplate: pulumi.String("{\"username\": \"admin\"}"),
GenerateStringKey: pulumi.String("password"),
PasswordLength: pulumi.Int(16),
ExcludeCharacters: pulumi.String("\"'@/\\"),
},
})
if err != nil {
return err
}
myRedshiftCluster, err := redshift.NewCluster(ctx, "myRedshiftCluster", &redshift.ClusterArgs{
DbName: pulumi.String("myjsondb"),
MasterUsername: myRedshiftSecret.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("{{resolve:secretsmanager:%v::username}}", id), nil
}).(pulumi.StringOutput),
MasterUserPassword: myRedshiftSecret.ID().ApplyT(func(id string) (string, error) {
return fmt.Sprintf("{{resolve:secretsmanager:%v::password}}", id), nil
}).(pulumi.StringOutput),
NodeType: pulumi.String("ds2.xlarge"),
ClusterType: pulumi.String("single-node"),
})
if err != nil {
return err
}
_, err = secretsmanager.NewSecretTargetAttachment(ctx, "secretRedshiftAttachment", &secretsmanager.SecretTargetAttachmentArgs{
SecretId: myRedshiftSecret.ID(),
TargetId: myRedshiftCluster.ID(),
TargetType: pulumi.String("AWS::Redshift::Cluster"),
})
if err != nil {
return err
}
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_native as aws_native
my_redshift_secret = aws_native.secretsmanager.Secret("myRedshiftSecret",
description="This is a Secrets Manager secret for a Redshift cluster",
generate_secret_string={
"secret_string_template": "{\"username\": \"admin\"}",
"generate_string_key": "password",
"password_length": 16,
"exclude_characters": "\"'@/\\",
})
my_redshift_cluster = aws_native.redshift.Cluster("myRedshiftCluster",
db_name="myjsondb",
master_username=my_redshift_secret.id.apply(lambda id: f"{{{{resolve:secretsmanager:{id}::username}}}}"),
master_user_password=my_redshift_secret.id.apply(lambda id: f"{{{{resolve:secretsmanager:{id}::password}}}}"),
node_type="ds2.xlarge",
cluster_type="single-node")
secret_redshift_attachment = aws_native.secretsmanager.SecretTargetAttachment("secretRedshiftAttachment",
secret_id=my_redshift_secret.id,
target_id=my_redshift_cluster.id,
target_type="AWS::Redshift::Cluster")
import * as pulumi from "@pulumi/pulumi";
import * as aws_native from "@pulumi/aws-native";
const myRedshiftSecret = new aws_native.secretsmanager.Secret("myRedshiftSecret", {
description: "This is a Secrets Manager secret for a Redshift cluster",
generateSecretString: {
secretStringTemplate: "{\"username\": \"admin\"}",
generateStringKey: "password",
passwordLength: 16,
excludeCharacters: "\"'@/\\",
},
});
const myRedshiftCluster = new aws_native.redshift.Cluster("myRedshiftCluster", {
dbName: "myjsondb",
masterUsername: pulumi.interpolate`{{resolve:secretsmanager:${myRedshiftSecret.id}::username}}`,
masterUserPassword: pulumi.interpolate`{{resolve:secretsmanager:${myRedshiftSecret.id}::password}}`,
nodeType: "ds2.xlarge",
clusterType: "single-node",
});
const secretRedshiftAttachment = new aws_native.secretsmanager.SecretTargetAttachment("secretRedshiftAttachment", {
secretId: myRedshiftSecret.id,
targetId: myRedshiftCluster.id,
targetType: "AWS::Redshift::Cluster",
});
Coming soon!
Create Secret Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Secret(name: string, args?: SecretArgs, opts?: CustomResourceOptions);
@overload
def Secret(resource_name: str,
args: Optional[SecretArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def Secret(resource_name: str,
opts: Optional[ResourceOptions] = None,
description: Optional[str] = None,
generate_secret_string: Optional[SecretGenerateSecretStringArgs] = None,
kms_key_id: Optional[str] = None,
name: Optional[str] = None,
replica_regions: Optional[Sequence[SecretReplicaRegionArgs]] = None,
secret_string: Optional[str] = None,
tags: Optional[Sequence[_root_inputs.TagArgs]] = None)
func NewSecret(ctx *Context, name string, args *SecretArgs, opts ...ResourceOption) (*Secret, error)
public Secret(string name, SecretArgs? args = null, CustomResourceOptions? opts = null)
public Secret(String name, SecretArgs args)
public Secret(String name, SecretArgs args, CustomResourceOptions options)
type: aws-native:secretsmanager:Secret
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Secret Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Secret resource accepts the following input properties:
- Description string
- The description of the secret.
- Generate
Secret Pulumi.String Aws Native. Secrets Manager. Inputs. Secret Generate Secret String - A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use
SecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. - Kms
Key stringId - The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by
alias/
, for examplealias/aws/secretsmanager
. For more information, see About aliases. To use a KMS key in a different account, use the key ARN or the alias ARN. If you don't specify this value, then Secrets Manager uses the keyaws/secretsmanager
. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. If the secret is in a different AWS account from the credentials calling the API, then you can't useaws/secretsmanager
to encrypt the secret, and you must create and use a customer managed KMS key. - Name string
- The name of the new secret. The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.
- Replica
Regions List<Pulumi.Aws Native. Secrets Manager. Inputs. Secret Replica Region> - A custom type that specifies a
Region
and theKmsKeyId
for a replica secret. - Secret
String string - The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use
GenerateSecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. - List<Pulumi.
Aws Native. Inputs. Tag> - A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:
[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]
Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns anAccess Denied
error. For more information, see Control access to secrets using tags and Limit access to identities with tags that match secrets' tags. For information about how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters. If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text. The following restrictions apply to tags:- Maximum number of tags per secret: 50
- Maximum key length: 127 Unicode characters in UTF-8
- Maximum value length: 255 Unicode characters in UTF-8
- Tag keys and values are case sensitive.
- Do not use the
aws:
prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit. - If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
- Description string
- The description of the secret.
- Generate
Secret SecretString Generate Secret String Args - A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use
SecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. - Kms
Key stringId - The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by
alias/
, for examplealias/aws/secretsmanager
. For more information, see About aliases. To use a KMS key in a different account, use the key ARN or the alias ARN. If you don't specify this value, then Secrets Manager uses the keyaws/secretsmanager
. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. If the secret is in a different AWS account from the credentials calling the API, then you can't useaws/secretsmanager
to encrypt the secret, and you must create and use a customer managed KMS key. - Name string
- The name of the new secret. The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.
- Replica
Regions []SecretReplica Region Args - A custom type that specifies a
Region
and theKmsKeyId
for a replica secret. - Secret
String string - The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use
GenerateSecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. - Tag
Args - A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:
[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]
Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns anAccess Denied
error. For more information, see Control access to secrets using tags and Limit access to identities with tags that match secrets' tags. For information about how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters. If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text. The following restrictions apply to tags:- Maximum number of tags per secret: 50
- Maximum key length: 127 Unicode characters in UTF-8
- Maximum value length: 255 Unicode characters in UTF-8
- Tag keys and values are case sensitive.
- Do not use the
aws:
prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit. - If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
- description String
- The description of the secret.
- generate
Secret SecretString Generate Secret String - A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use
SecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. - kms
Key StringId - The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by
alias/
, for examplealias/aws/secretsmanager
. For more information, see About aliases. To use a KMS key in a different account, use the key ARN or the alias ARN. If you don't specify this value, then Secrets Manager uses the keyaws/secretsmanager
. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. If the secret is in a different AWS account from the credentials calling the API, then you can't useaws/secretsmanager
to encrypt the secret, and you must create and use a customer managed KMS key. - name String
- The name of the new secret. The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.
- replica
Regions List<SecretReplica Region> - A custom type that specifies a
Region
and theKmsKeyId
for a replica secret. - secret
String String - The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use
GenerateSecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. - List<Tag>
- A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:
[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]
Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns anAccess Denied
error. For more information, see Control access to secrets using tags and Limit access to identities with tags that match secrets' tags. For information about how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters. If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text. The following restrictions apply to tags:- Maximum number of tags per secret: 50
- Maximum key length: 127 Unicode characters in UTF-8
- Maximum value length: 255 Unicode characters in UTF-8
- Tag keys and values are case sensitive.
- Do not use the
aws:
prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit. - If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
- description string
- The description of the secret.
- generate
Secret SecretString Generate Secret String - A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use
SecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. - kms
Key stringId - The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by
alias/
, for examplealias/aws/secretsmanager
. For more information, see About aliases. To use a KMS key in a different account, use the key ARN or the alias ARN. If you don't specify this value, then Secrets Manager uses the keyaws/secretsmanager
. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. If the secret is in a different AWS account from the credentials calling the API, then you can't useaws/secretsmanager
to encrypt the secret, and you must create and use a customer managed KMS key. - name string
- The name of the new secret. The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.
- replica
Regions SecretReplica Region[] - A custom type that specifies a
Region
and theKmsKeyId
for a replica secret. - secret
String string - The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use
GenerateSecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. - Tag[]
- A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:
[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]
Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns anAccess Denied
error. For more information, see Control access to secrets using tags and Limit access to identities with tags that match secrets' tags. For information about how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters. If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text. The following restrictions apply to tags:- Maximum number of tags per secret: 50
- Maximum key length: 127 Unicode characters in UTF-8
- Maximum value length: 255 Unicode characters in UTF-8
- Tag keys and values are case sensitive.
- Do not use the
aws:
prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit. - If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
- description str
- The description of the secret.
- generate_
secret_ Secretstring Generate Secret String Args - A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use
SecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. - kms_
key_ strid - The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by
alias/
, for examplealias/aws/secretsmanager
. For more information, see About aliases. To use a KMS key in a different account, use the key ARN or the alias ARN. If you don't specify this value, then Secrets Manager uses the keyaws/secretsmanager
. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. If the secret is in a different AWS account from the credentials calling the API, then you can't useaws/secretsmanager
to encrypt the secret, and you must create and use a customer managed KMS key. - name str
- The name of the new secret. The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.
- replica_
regions Sequence[SecretReplica Region Args] - A custom type that specifies a
Region
and theKmsKeyId
for a replica secret. - secret_
string str - The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use
GenerateSecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. - Sequence[Tag
Args] - A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:
[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]
Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns anAccess Denied
error. For more information, see Control access to secrets using tags and Limit access to identities with tags that match secrets' tags. For information about how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters. If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text. The following restrictions apply to tags:- Maximum number of tags per secret: 50
- Maximum key length: 127 Unicode characters in UTF-8
- Maximum value length: 255 Unicode characters in UTF-8
- Tag keys and values are case sensitive.
- Do not use the
aws:
prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit. - If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
- description String
- The description of the secret.
- generate
Secret Property MapString - A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use
SecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. - kms
Key StringId - The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by
alias/
, for examplealias/aws/secretsmanager
. For more information, see About aliases. To use a KMS key in a different account, use the key ARN or the alias ARN. If you don't specify this value, then Secrets Manager uses the keyaws/secretsmanager
. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value. If the secret is in a different AWS account from the credentials calling the API, then you can't useaws/secretsmanager
to encrypt the secret, and you must create and use a customer managed KMS key. - name String
- The name of the new secret. The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.
- replica
Regions List<Property Map> - A custom type that specifies a
Region
and theKmsKeyId
for a replica secret. - secret
String String - The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use
GenerateSecretString
instead. If you omit bothGenerateSecretString
andSecretString
, you create an empty secret. When you make a change to this property, a new secret version is created. - List<Property Map>
- A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:
[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]
Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns anAccess Denied
error. For more information, see Control access to secrets using tags and Limit access to identities with tags that match secrets' tags. For information about how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters. If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text. The following restrictions apply to tags:- Maximum number of tags per secret: 50
- Maximum key length: 127 Unicode characters in UTF-8
- Maximum value length: 255 Unicode characters in UTF-8
- Tag keys and values are case sensitive.
- Do not use the
aws:
prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit. - If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
Outputs
All input properties are implicitly available as output properties. Additionally, the Secret resource produces the following output properties:
Supporting Types
SecretGenerateSecretString, SecretGenerateSecretStringArgs
- Exclude
Characters string - A string of the characters that you don't want in the password.
- Exclude
Lowercase bool - Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters.
- Exclude
Numbers bool - Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers.
- Exclude
Punctuation bool - Specifies whether to exclude the following punctuation characters from the password:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
. If you don't include this switch, the password can contain punctuation. - Exclude
Uppercase bool - Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters.
- Generate
String stringKey - The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the
SecretStringTemplate
parameter. If you specify this parameter, then you must also specifySecretStringTemplate
. - Include
Space bool - Specifies whether to include the space character. If you include this switch, the password can contain space characters.
- Password
Length int - The length of the password. If you don't include this parameter, the default length is 32 characters.
- Require
Each boolIncluded Type - Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. If you don't include this switch, the password contains at least one of every character type.
- Secret
String stringTemplate - A template that the generated string must match. When you make a change to this property, a new secret version is created.
- Exclude
Characters string - A string of the characters that you don't want in the password.
- Exclude
Lowercase bool - Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters.
- Exclude
Numbers bool - Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers.
- Exclude
Punctuation bool - Specifies whether to exclude the following punctuation characters from the password:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
. If you don't include this switch, the password can contain punctuation. - Exclude
Uppercase bool - Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters.
- Generate
String stringKey - The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the
SecretStringTemplate
parameter. If you specify this parameter, then you must also specifySecretStringTemplate
. - Include
Space bool - Specifies whether to include the space character. If you include this switch, the password can contain space characters.
- Password
Length int - The length of the password. If you don't include this parameter, the default length is 32 characters.
- Require
Each boolIncluded Type - Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. If you don't include this switch, the password contains at least one of every character type.
- Secret
String stringTemplate - A template that the generated string must match. When you make a change to this property, a new secret version is created.
- exclude
Characters String - A string of the characters that you don't want in the password.
- exclude
Lowercase Boolean - Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters.
- exclude
Numbers Boolean - Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers.
- exclude
Punctuation Boolean - Specifies whether to exclude the following punctuation characters from the password:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
. If you don't include this switch, the password can contain punctuation. - exclude
Uppercase Boolean - Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters.
- generate
String StringKey - The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the
SecretStringTemplate
parameter. If you specify this parameter, then you must also specifySecretStringTemplate
. - include
Space Boolean - Specifies whether to include the space character. If you include this switch, the password can contain space characters.
- password
Length Integer - The length of the password. If you don't include this parameter, the default length is 32 characters.
- require
Each BooleanIncluded Type - Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. If you don't include this switch, the password contains at least one of every character type.
- secret
String StringTemplate - A template that the generated string must match. When you make a change to this property, a new secret version is created.
- exclude
Characters string - A string of the characters that you don't want in the password.
- exclude
Lowercase boolean - Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters.
- exclude
Numbers boolean - Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers.
- exclude
Punctuation boolean - Specifies whether to exclude the following punctuation characters from the password:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
. If you don't include this switch, the password can contain punctuation. - exclude
Uppercase boolean - Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters.
- generate
String stringKey - The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the
SecretStringTemplate
parameter. If you specify this parameter, then you must also specifySecretStringTemplate
. - include
Space boolean - Specifies whether to include the space character. If you include this switch, the password can contain space characters.
- password
Length number - The length of the password. If you don't include this parameter, the default length is 32 characters.
- require
Each booleanIncluded Type - Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. If you don't include this switch, the password contains at least one of every character type.
- secret
String stringTemplate - A template that the generated string must match. When you make a change to this property, a new secret version is created.
- exclude_
characters str - A string of the characters that you don't want in the password.
- exclude_
lowercase bool - Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters.
- exclude_
numbers bool - Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers.
- exclude_
punctuation bool - Specifies whether to exclude the following punctuation characters from the password:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
. If you don't include this switch, the password can contain punctuation. - exclude_
uppercase bool - Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters.
- generate_
string_ strkey - The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the
SecretStringTemplate
parameter. If you specify this parameter, then you must also specifySecretStringTemplate
. - include_
space bool - Specifies whether to include the space character. If you include this switch, the password can contain space characters.
- password_
length int - The length of the password. If you don't include this parameter, the default length is 32 characters.
- require_
each_ boolincluded_ type - Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. If you don't include this switch, the password contains at least one of every character type.
- secret_
string_ strtemplate - A template that the generated string must match. When you make a change to this property, a new secret version is created.
- exclude
Characters String - A string of the characters that you don't want in the password.
- exclude
Lowercase Boolean - Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters.
- exclude
Numbers Boolean - Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers.
- exclude
Punctuation Boolean - Specifies whether to exclude the following punctuation characters from the password:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
. If you don't include this switch, the password can contain punctuation. - exclude
Uppercase Boolean - Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters.
- generate
String StringKey - The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the
SecretStringTemplate
parameter. If you specify this parameter, then you must also specifySecretStringTemplate
. - include
Space Boolean - Specifies whether to include the space character. If you include this switch, the password can contain space characters.
- password
Length Number - The length of the password. If you don't include this parameter, the default length is 32 characters.
- require
Each BooleanIncluded Type - Specifies whether to include at least one upper and lowercase letter, one number, and one punctuation. If you don't include this switch, the password contains at least one of every character type.
- secret
String StringTemplate - A template that the generated string must match. When you make a change to this property, a new secret version is created.
SecretReplicaRegion, SecretReplicaRegionArgs
- region str
- A string that represents a
Region
, for example "us-east-1". - kms_
key_ strid - The ARN, key ID, or alias of the KMS key to encrypt the secret. If you don't include this field, Secrets Manager uses
aws/secretsmanager
.
Tag, TagArgs
Package Details
- Repository
- AWS Native pulumi/pulumi-aws-native
- License
- Apache-2.0
We recommend new projects start with resources from the AWS provider.