aws.secretsmanager.Secret
Explore with Pulumi AI
Provides a resource to manage AWS Secrets Manager secret metadata. To manage secret rotation, see the aws.secretsmanager.SecretRotation
resource. To manage a secret value, see the aws.secretsmanager.SecretVersion
resource.
Example Usage
Basic
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.secretsmanager.Secret("example", {name: "example"});
import pulumi
import pulumi_aws as aws
example = aws.secretsmanager.Secret("example", name="example")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/secretsmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretsmanager.NewSecret(ctx, "example", &secretsmanager.SecretArgs{
Name: pulumi.String("example"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.SecretsManager.Secret("example", new()
{
Name = "example",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.secretsmanager.Secret;
import com.pulumi.aws.secretsmanager.SecretArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Secret("example", SecretArgs.builder()
.name("example")
.build());
}
}
resources:
example:
type: aws:secretsmanager:Secret
properties:
name: example
Create Secret Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Secret(name: string, args?: SecretArgs, opts?: CustomResourceOptions);
@overload
def Secret(resource_name: str,
args: Optional[SecretArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def Secret(resource_name: str,
opts: Optional[ResourceOptions] = None,
description: Optional[str] = None,
force_overwrite_replica_secret: Optional[bool] = None,
kms_key_id: Optional[str] = None,
name: Optional[str] = None,
name_prefix: Optional[str] = None,
policy: Optional[str] = None,
recovery_window_in_days: Optional[int] = None,
replicas: Optional[Sequence[SecretReplicaArgs]] = None,
tags: Optional[Mapping[str, str]] = None)
func NewSecret(ctx *Context, name string, args *SecretArgs, opts ...ResourceOption) (*Secret, error)
public Secret(string name, SecretArgs? args = null, CustomResourceOptions? opts = null)
public Secret(String name, SecretArgs args)
public Secret(String name, SecretArgs args, CustomResourceOptions options)
type: aws:secretsmanager:Secret
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var secretResource = new Aws.SecretsManager.Secret("secretResource", new()
{
Description = "string",
ForceOverwriteReplicaSecret = false,
KmsKeyId = "string",
Name = "string",
NamePrefix = "string",
Policy = "string",
RecoveryWindowInDays = 0,
Replicas = new[]
{
new Aws.SecretsManager.Inputs.SecretReplicaArgs
{
Region = "string",
KmsKeyId = "string",
LastAccessedDate = "string",
Status = "string",
StatusMessage = "string",
},
},
Tags =
{
{ "string", "string" },
},
});
example, err := secretsmanager.NewSecret(ctx, "secretResource", &secretsmanager.SecretArgs{
Description: pulumi.String("string"),
ForceOverwriteReplicaSecret: pulumi.Bool(false),
KmsKeyId: pulumi.String("string"),
Name: pulumi.String("string"),
NamePrefix: pulumi.String("string"),
Policy: pulumi.String("string"),
RecoveryWindowInDays: pulumi.Int(0),
Replicas: secretsmanager.SecretReplicaArray{
&secretsmanager.SecretReplicaArgs{
Region: pulumi.String("string"),
KmsKeyId: pulumi.String("string"),
LastAccessedDate: pulumi.String("string"),
Status: pulumi.String("string"),
StatusMessage: pulumi.String("string"),
},
},
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var secretResource = new Secret("secretResource", SecretArgs.builder()
.description("string")
.forceOverwriteReplicaSecret(false)
.kmsKeyId("string")
.name("string")
.namePrefix("string")
.policy("string")
.recoveryWindowInDays(0)
.replicas(SecretReplicaArgs.builder()
.region("string")
.kmsKeyId("string")
.lastAccessedDate("string")
.status("string")
.statusMessage("string")
.build())
.tags(Map.of("string", "string"))
.build());
secret_resource = aws.secretsmanager.Secret("secretResource",
description="string",
force_overwrite_replica_secret=False,
kms_key_id="string",
name="string",
name_prefix="string",
policy="string",
recovery_window_in_days=0,
replicas=[{
"region": "string",
"kms_key_id": "string",
"last_accessed_date": "string",
"status": "string",
"status_message": "string",
}],
tags={
"string": "string",
})
const secretResource = new aws.secretsmanager.Secret("secretResource", {
description: "string",
forceOverwriteReplicaSecret: false,
kmsKeyId: "string",
name: "string",
namePrefix: "string",
policy: "string",
recoveryWindowInDays: 0,
replicas: [{
region: "string",
kmsKeyId: "string",
lastAccessedDate: "string",
status: "string",
statusMessage: "string",
}],
tags: {
string: "string",
},
});
type: aws:secretsmanager:Secret
properties:
description: string
forceOverwriteReplicaSecret: false
kmsKeyId: string
name: string
namePrefix: string
policy: string
recoveryWindowInDays: 0
replicas:
- kmsKeyId: string
lastAccessedDate: string
region: string
status: string
statusMessage: string
tags:
string: string
Secret Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Secret resource accepts the following input properties:
- Description string
- Description of the secret.
- Force
Overwrite boolReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- Kms
Key stringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - Name string
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - Name
Prefix string - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - Policy string
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - Recovery
Window intIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - Replicas
List<Secret
Replica> - Configuration block to support secret replication. See details below.
- Dictionary<string, string>
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- Description string
- Description of the secret.
- Force
Overwrite boolReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- Kms
Key stringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - Name string
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - Name
Prefix string - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - Policy string
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - Recovery
Window intIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - Replicas
[]Secret
Replica Args - Configuration block to support secret replication. See details below.
- map[string]string
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- description String
- Description of the secret.
- force
Overwrite BooleanReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- kms
Key StringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - name String
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - name
Prefix String - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - policy String
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - recovery
Window IntegerIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - replicas
List<Secret
Replica> - Configuration block to support secret replication. See details below.
- Map<String,String>
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- description string
- Description of the secret.
- force
Overwrite booleanReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- kms
Key stringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - name string
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - name
Prefix string - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - policy string
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - recovery
Window numberIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - replicas
Secret
Replica[] - Configuration block to support secret replication. See details below.
- {[key: string]: string}
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- description str
- Description of the secret.
- force_
overwrite_ boolreplica_ secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- kms_
key_ strid - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - name str
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - name_
prefix str - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - policy str
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - recovery_
window_ intin_ days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - replicas
Sequence[Secret
Replica Args] - Configuration block to support secret replication. See details below.
- Mapping[str, str]
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
- description String
- Description of the secret.
- force
Overwrite BooleanReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- kms
Key StringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - name String
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - name
Prefix String - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - policy String
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - recovery
Window NumberIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - replicas List<Property Map>
- Configuration block to support secret replication. See details below.
- Map<String>
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the Secret resource produces the following output properties:
Look up Existing Secret Resource
Get an existing Secret resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretState, opts?: CustomResourceOptions): Secret
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
description: Optional[str] = None,
force_overwrite_replica_secret: Optional[bool] = None,
kms_key_id: Optional[str] = None,
name: Optional[str] = None,
name_prefix: Optional[str] = None,
policy: Optional[str] = None,
recovery_window_in_days: Optional[int] = None,
replicas: Optional[Sequence[SecretReplicaArgs]] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None) -> Secret
func GetSecret(ctx *Context, name string, id IDInput, state *SecretState, opts ...ResourceOption) (*Secret, error)
public static Secret Get(string name, Input<string> id, SecretState? state, CustomResourceOptions? opts = null)
public static Secret get(String name, Output<String> id, SecretState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- ARN of the secret.
- Description string
- Description of the secret.
- Force
Overwrite boolReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- Kms
Key stringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - Name string
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - Name
Prefix string - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - Policy string
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - Recovery
Window intIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - Replicas
List<Secret
Replica> - Configuration block to support secret replication. See details below.
- Dictionary<string, string>
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- Map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- Arn string
- ARN of the secret.
- Description string
- Description of the secret.
- Force
Overwrite boolReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- Kms
Key stringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - Name string
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - Name
Prefix string - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - Policy string
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - Recovery
Window intIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - Replicas
[]Secret
Replica Args - Configuration block to support secret replication. See details below.
- map[string]string
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- Map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn String
- ARN of the secret.
- description String
- Description of the secret.
- force
Overwrite BooleanReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- kms
Key StringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - name String
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - name
Prefix String - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - policy String
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - recovery
Window IntegerIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - replicas
List<Secret
Replica> - Configuration block to support secret replication. See details below.
- Map<String,String>
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn string
- ARN of the secret.
- description string
- Description of the secret.
- force
Overwrite booleanReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- kms
Key stringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - name string
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - name
Prefix string - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - policy string
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - recovery
Window numberIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - replicas
Secret
Replica[] - Configuration block to support secret replication. See details below.
- {[key: string]: string}
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- Map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn str
- ARN of the secret.
- description str
- Description of the secret.
- force_
overwrite_ boolreplica_ secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- kms_
key_ strid - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - name str
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - name_
prefix str - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - policy str
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - recovery_
window_ intin_ days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - replicas
Sequence[Secret
Replica Args] - Configuration block to support secret replication. See details below.
- Mapping[str, str]
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- Map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
- arn String
- ARN of the secret.
- description String
- Description of the secret.
- force
Overwrite BooleanReplica Secret - Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
- kms
Key StringId - ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named
aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. - name String
- Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters:
/_+=.@-
Conflicts withname_prefix
. - name
Prefix String - Creates a unique name beginning with the specified prefix. Conflicts with
name
. - policy String
- Valid JSON document representing a resource policy. Removing
policy
from your configuration or settingpolicy
to null or an empty string (i.e.,policy = ""
) will not delete the policy since it could have been set byaws.secretsmanager.SecretPolicy
. To delete thepolicy
, set it to"{}"
(an empty JSON document). - recovery
Window NumberIn Days - Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be
0
to force deletion without recovery or range from7
to30
days. The default value is30
. - replicas List<Property Map>
- Configuration block to support secret replication. See details below.
- Map<String>
- Key-value map of user-defined tags that are attached to the secret. If configured with a provider
default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tags
configuration block.
Supporting Types
SecretReplica, SecretReplicaArgs
- Region string
- Region for replicating the secret.
- Kms
Key stringId - ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (
aws/secretsmanager
) in the region or creates one for use if non-existent. - Last
Accessed stringDate - Date that you last accessed the secret in the Region.
- Status string
- Status can be
InProgress
,Failed
, orInSync
. - Status
Message string - Message such as
Replication succeeded
orSecret with this name already exists in this region
.
- Region string
- Region for replicating the secret.
- Kms
Key stringId - ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (
aws/secretsmanager
) in the region or creates one for use if non-existent. - Last
Accessed stringDate - Date that you last accessed the secret in the Region.
- Status string
- Status can be
InProgress
,Failed
, orInSync
. - Status
Message string - Message such as
Replication succeeded
orSecret with this name already exists in this region
.
- region String
- Region for replicating the secret.
- kms
Key StringId - ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (
aws/secretsmanager
) in the region or creates one for use if non-existent. - last
Accessed StringDate - Date that you last accessed the secret in the Region.
- status String
- Status can be
InProgress
,Failed
, orInSync
. - status
Message String - Message such as
Replication succeeded
orSecret with this name already exists in this region
.
- region string
- Region for replicating the secret.
- kms
Key stringId - ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (
aws/secretsmanager
) in the region or creates one for use if non-existent. - last
Accessed stringDate - Date that you last accessed the secret in the Region.
- status string
- Status can be
InProgress
,Failed
, orInSync
. - status
Message string - Message such as
Replication succeeded
orSecret with this name already exists in this region
.
- region str
- Region for replicating the secret.
- kms_
key_ strid - ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (
aws/secretsmanager
) in the region or creates one for use if non-existent. - last_
accessed_ strdate - Date that you last accessed the secret in the Region.
- status str
- Status can be
InProgress
,Failed
, orInSync
. - status_
message str - Message such as
Replication succeeded
orSecret with this name already exists in this region
.
- region String
- Region for replicating the secret.
- kms
Key StringId - ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (
aws/secretsmanager
) in the region or creates one for use if non-existent. - last
Accessed StringDate - Date that you last accessed the secret in the Region.
- status String
- Status can be
InProgress
,Failed
, orInSync
. - status
Message String - Message such as
Replication succeeded
orSecret with this name already exists in this region
.
Import
Using pulumi import
, import aws_secretsmanager_secret
using the secret Amazon Resource Name (ARN). For example:
$ pulumi import aws:secretsmanager/secret:Secret example arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aws
Terraform Provider.