secrets
Creates, updates, deletes or gets a secret resource or lists secrets in a region
Overview
| Name | secrets |
| Type | Resource |
| Description | Creates a new secret. A secret can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager.For RDS master user credentials, see AWS::RDS::DBCluster MasterUserSecret.For RS admin user credentials, see AWS::Redshift::Cluster. To retrieve a secret in a CFNshort template, use a dynamic reference. For more information, see Retrieve a secret in an resource. For information about creating a secret in the console, see Create a secret. For information about creating a secret using the CLI or SDK, see CreateSecret. For information about retrieving a secret in code, see Retrieve secrets from Secrets Manager. |
| Id | awscc.secretsmanager.secrets |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
description | string | The description of the secret. |
kms_key_id | string | The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by To use a KMS key in a different account, use the key ARN or the alias ARN. |
secret_string | string | The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use GenerateSecretString instead. If you omit both GenerateSecretString and SecretString, you create an empty secret. When you make a change to this property, a new secret version is created. |
generate_secret_string | object | A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. |
replica_regions | array | A custom type that specifies a Region and the KmsKeyId for a replica secret. |
id | string | |
tags | array | A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an Access Denied error. For more information, see Control access to secrets using tags and Limit access to identities with tags that match secrets' tags.For information about how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters. If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text. The following restrictions apply to tags: + Maximum number of tags per secret: 50 + Maximum key length: 127 Unicode characters in UTF-8 + Maximum value length: 255 Unicode characters in UTF-8 + Tag keys and values are case sensitive. + Do not use the aws: prefix in your tag names or values because AWS reserves it for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.+ If you use your tagging schema across multiple services and resources, other services might have restrictions on allowed characters. Generally allowed characters: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @. |
name | string | The name of the new secret.The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@-Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
id | string | |
region | string | AWS region. |
For more information, see AWS::SecretsManager::Secret.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | secrets | INSERT | region |
delete_resource | secrets | DELETE | Identifier, region |
update_resource | secrets | UPDATE | Identifier, PatchDocument, region |
list_resources | secrets_list_only | SELECT | region |
get_resource | secrets | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual secret.
SELECT
region,
description,
kms_key_id,
secret_string,
generate_secret_string,
replica_regions,
id,
tags,
name
FROM awscc.secretsmanager.secrets
WHERE
region = '{{ region }}' AND
Identifier = '{{ id }}';
Lists all secrets in a region.
SELECT
region,
id
FROM awscc.secretsmanager.secrets_list_only
WHERE
region = '{{ region }}';
INSERT example
Use the following StackQL query and manifest file to create a new secret resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.secretsmanager.secrets (
Description,
KmsKeyId,
SecretString,
GenerateSecretString,
ReplicaRegions,
Tags,
Name,
region
)
SELECT
'{{ description }}',
'{{ kms_key_id }}',
'{{ secret_string }}',
'{{ generate_secret_string }}',
'{{ replica_regions }}',
'{{ tags }}',
'{{ name }}',
'{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
/*+ create */
INSERT INTO awscc.secretsmanager.secrets (
Description,
KmsKeyId,
SecretString,
GenerateSecretString,
ReplicaRegions,
Tags,
Name,
region
)
SELECT
'{{ description }}',
'{{ kms_key_id }}',
'{{ secret_string }}',
'{{ generate_secret_string }}',
'{{ replica_regions }}',
'{{ tags }}',
'{{ name }}',
'{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: secret
props:
- name: description
value: '{{ description }}'
- name: kms_key_id
value: '{{ kms_key_id }}'
- name: secret_string
value: '{{ secret_string }}'
- name: generate_secret_string
value:
exclude_uppercase: '{{ exclude_uppercase }}'
require_each_included_type: '{{ require_each_included_type }}'
include_space: '{{ include_space }}'
exclude_characters: '{{ exclude_characters }}'
generate_string_key: '{{ generate_string_key }}'
password_length: '{{ password_length }}'
exclude_punctuation: '{{ exclude_punctuation }}'
exclude_lowercase: '{{ exclude_lowercase }}'
secret_string_template: '{{ secret_string_template }}'
exclude_numbers: '{{ exclude_numbers }}'
- name: replica_regions
value:
- kms_key_id: '{{ kms_key_id }}'
region: '{{ region }}'
- name: tags
value:
- value: '{{ value }}'
key: '{{ key }}'
- name: name
value: '{{ name }}'
UPDATE example
Use the following StackQL query and manifest file to update a secret resource, using stack-deploy.
/*+ update */
UPDATE awscc.secretsmanager.secrets
SET PatchDocument = string('{{ {
"Description": description,
"KmsKeyId": kms_key_id,
"SecretString": secret_string,
"GenerateSecretString": generate_secret_string,
"ReplicaRegions": replica_regions,
"Tags": tags
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ id }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
DELETE example
/*+ delete */
DELETE FROM awscc.secretsmanager.secrets
WHERE
Identifier = '{{ id }}' AND
region = '{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
Additional Parameters
Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:
| Parameter | Description |
|---|---|
ClientToken | A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request. |
RoleArn | The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.If you do not specify a role, a temporary session is created using your AWS user credentials. |
TypeVersionId | For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used. |
Permissions
To operate on the secrets resource, the following permissions are required:
- Create
- Delete
- List
- Read
- Update
secretsmanager:DescribeSecret,
secretsmanager:GetRandomPassword,
secretsmanager:CreateSecret,
secretsmanager:TagResource,
secretsmanager:ReplicateSecretToRegions
secretsmanager:DeleteSecret,
secretsmanager:DescribeSecret,
secretsmanager:RemoveRegionsFromReplication
secretsmanager:ListSecrets
secretsmanager:DescribeSecret,
secretsmanager:GetSecretValue
secretsmanager:UpdateSecret,
secretsmanager:TagResource,
secretsmanager:UntagResource,
secretsmanager:GetRandomPassword,
secretsmanager:GetSecretValue,
secretsmanager:ReplicateSecretToRegions,
secretsmanager:RemoveRegionsFromReplication