How to retrieve SecretsManager secret in AWS CDK

Question

I'm setting up a Fargate service in AWS using CDK

const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(
    this,
    'FargateService',
    {
        vpc: ...,
        taskImageOptions: {
            image: ...,
            containerPort: ...,
            secrets: {
                MY_ENV_VAR: Secret.fromSecretsManager(
                    **ISecret**,
                    'fieldWithinTheSecret'
                ),
            }
        }
    }
)

How am I supposed to get hold of the ISecret instance given the name of the secret?

I've looked at the AWS.SecretsManager from the AWS SDK, but it only returns strings.

score 9 · Answer 1 · answered May 06 '22 at 06:31

The updated one with CDK version 2 You can refer to a secret either with Secret.fromSecretNameV2() and retrieve a particular secret value using Secret.secretValueFromJson('keyname').toString(); Refer to the code snippet below

const appSecret = Secret.fromSecretNameV2(this,'app-secret',"secret-name");
const value1 = appSecret.secretValueFromJson('KeyName1').toString();
const value2 = appSecret.secretValueFromJson('KeyName2').toString();

The best thing is, you can use this secret value anywhere like Cognito Secrets, and it will not hardcode the secret value in your cloud formation stack. Instead, it will use a token and it will be resolved to the value when it is deployed.

Sadly, this function is completely useless if you need the full ARN. See https://github.com/aws/aws-cdk/issues/18555 for details. — MKesper, Mar 27 '23 at 13:04

Laurens Knoll · Accepted Answer · 2020-08-31T08:56:16.510

Currently there is no Secret.fromSecretName-method. Assuming that you are using an existing secret, you should use the Secret.fromSecretArn-method.

Note that if you use a KMS key, you should use the Secret.fromSecretAttributes-method as described at Get a value from AWS secrets manager.

import * as ecs from "@aws-cdk/aws-ecs";
import * as ecs_patterns from "@aws-cdk/aws-ecs-patterns";
import * as secretsmanager from "@aws-cdk/aws-secretsmanager";

const mySecret = secretsmanager.Secret.fromSecretArn(this, "mySecret", "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>");

const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(
    this,
    'FargateService',
    {
        vpc: ...,
        taskImageOptions: {
            image: ...,
            containerPort: ...,
            secrets: {
                MY_ENV_VAR: ecs.Secret.fromSecretsManager(mySecret),
            }
        }
    }
);

Note 1: `Secret.fromSecretArn` and `Secret.fromSecretsManager` come from different namespaces (_@aws-cdk/aws-secretsmanager_ and _@aws-cdk/aws-ecs_ respectively) — MEMark, Aug 29 '20 at 17:34
Now, aws-cdk provides [Secret.fromSecretNameV2](https://docs.aws.amazon.com/cdk/api/latest/typescript/api/aws-secretsmanager/secret.html#aws_secretsmanager_Secret_fromSecretNameV2) to import the secret by its Name. — aashitvyas, Mar 08 '21 at 18:53

elbik · Answer 3 · 2023-03-22T11:31:50.473

2

in my case I end up in the following code:

import { Secret } from 'aws-cdk-lib/aws-secretsmanager'
...
const value = Secret.fromSecretAttributes(this, `unique-stack-id-secret`, {
    secretPartialArn: `arn:aws:secretsmanager:<region>:<accountId>:secret:<secret-name>`,
}).secretValue.unsafeUnwrap()

the aws-cdk version is 2.69.0. Here is the link to the Secret class documentation

edited Mar 22 '23 at 11:31

answered Mar 22 '23 at 11:18

elbik

1,749
2
16
21

Is this the same as this answer https://stackoverflow.com/a/63621932/268091 ? – MEMark Mar 23 '23 at 08:13
1

It's kind of the same, but here I presented the working usage of `fromSecretAttributes` directly in the answer to the ticket, without forcing the StackOverflow user to go to AWS documentation. – elbik Mar 23 '23 at 09:59

How to retrieve SecretsManager secret in AWS CDK

3 Answers3