## AWS Secrets Manager Construct Library
<!--BEGIN STABILITY BANNER-->---
![cfn-resources: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge)
![cdk-constructs: Stable](https://img.shields.io/badge/cdk--constructs-stable-success.svg?style=for-the-badge)
---
<!--END STABILITY BANNER-->
```python
# Example automatically generated. See https://github.com/aws/jsii/issues/826
secretsmanager = require("@aws-cdk/aws-secretsmanager")
```
### Create a new Secret in a Stack
In order to have SecretsManager generate a new secret value automatically,
you can get started with the following:
```python
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
# Default secret
secret = secretsmanager.Secret(self, "Secret")
secret.grant_read(role)
iam.User(self, "User",
password=secret.secret_value
)
# Templated secret
templated_secret = secretsmanager.Secret(self, "TemplatedSecret",
generate_secret_string=SecretStringGenerator(
secret_string_template=JSON.stringify(username="user"),
generate_string_key="password"
)
)
iam.User(self, "OtherUser",
user_name=templated_secret.secret_value_from_json("username").to_string(),
password=templated_secret.secret_value_from_json("password")
)
```
The `Secret` construct does not allow specifying the `SecretString` property
of the `AWS::SecretsManager::Secret` resource (as this will almost always
lead to the secret being surfaced in plain text and possibly committed to
your source control).
If you need to use a pre-existing secret, the recommended way is to manually
provision the secret in *AWS SecretsManager* and use the `Secret.fromSecretArn`
or `Secret.fromSecretAttributes` method to make it available in your CDK Application:
```python
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
secret = secretsmanager.Secret.from_secret_attributes(scope, "ImportedSecret",
secret_arn="arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>",
# If the secret is encrypted using a KMS-hosted CMK, either import or reference that key:
encryption_key=encryption_key
)
```
SecretsManager secret values can only be used in select set of properties. For the
list of properties, see [the CloudFormation Dynamic References documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html).
### Rotating a Secret with a custom Lambda function
A rotation schedule can be added to a Secret using a custom Lambda function:
```python
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
fn = lambda.Function(...)
secret = secretsmanager.Secret(self, "Secret")
secret.add_rotation_schedule("RotationSchedule",
rotation_lambda=fn,
automatically_after=Duration.days(15)
)
```
See [Overview of the Lambda Rotation Function](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-lambda-function-overview.html) on how to implement a Lambda Rotation Function.
### Rotating database credentials
Define a `SecretRotation` to rotate database credentials:
```python
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
SecretRotation(self, "SecretRotation",
application=SecretRotationApplication.MYSQL_ROTATION_SINGLE_USER, # MySQL single user scheme
secret=my_secret,
target=my_database, # a Connectable
vpc=my_vpc
)
```
The secret must be a JSON string with the following format:
```json
{
"engine": "<required: database engine>",
"host": "<required: instance host name>",
"username": "<required: username>",
"password": "<required: password>",
"dbname": "<optional: database name>",
"port": "<optional: if not specified, default port will be used>",
"masterarn": "<required for multi user rotation: the arn of the master secret which will be used to create users/change passwords>"
}
```
For the multi user scheme, a `masterSecret` must be specified:
```python
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
SecretRotation(stack, "SecretRotation",
application=SecretRotationApplication.MYSQL_ROTATION_MULTI_USER,
secret=my_user_secret, # The secret that will be rotated
master_secret=my_master_secret, # The secret used for the rotation
target=my_database,
vpc=my_vpc
)
```
See also [aws-rds](https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-rds/README.md) where
credentials generation and rotation is integrated.
PyPI 官网下载 | aws-cdk.aws-secretsmanager-1.35.0.tar.gz
版权申诉
198 浏览量
2022-01-26
14:10:06
上传
评论
收藏 89KB GZ 举报
挣扎的蓝藻
- 粉丝: 13w+
- 资源: 15万+
最新资源
- 微信小程序 - 图书管理系统源码.zip
- 微信小程序 - 图片自适应 ,富文本解析源码.zip
- 微信小程序 - 同乐居商城:购物车合算源码
- 1、根据输入的三条边值判断能组成何种三角形,并设计测试数据进行判定覆盖测试 三条边为变量a、b、c,范围为1≤边值≤10,不在范
- SQL server 练习题目8道(小白教学).zip
- Python 手写实现 iD3 决策树算法-根据信息增益公式.zip
- 411675952289057车联助手-小窗版(三星)3.5.1.apk
- 三种快速排序方法合并在一个文件中以便直接运行的Python代码示例
- 937712277954201实习5.word
- 2程序语言基础知识pdf1_1716337722703.jpeg
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈