Secret
Provides a resource to manage AWS Secrets Manager secret version including its secret value. To manage secret metadata, see the aws.secretsmanager.Secret resource.
NOTE: If the
AWSCURRENTstaging label is present on this version during resource deletion, that label cannot be removed and will be skipped to prevent errors when fully deleting the secret. That label will leave this secret version active even after the resource is deleted from this provider unless the secret itself is deleted. Move theAWSCURRENTstaging label before or after deleting this resource from this provider to fully trigger version deprecation if necessary.
Example Usage
Simple String Value
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.secretsmanager.SecretVersion("example", {
secretId: exampleAwsSecretsmanagerSecret.id,
secretString: "example-string-to-protect",
});import pulumi
import pulumi_aws as aws
example = aws.secretsmanager.SecretVersion("example",
secret_id=example_aws_secretsmanager_secret["id"],
secret_string="example-string-to-protect")using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.SecretsManager.SecretVersion("example", new()
{
SecretId = exampleAwsSecretsmanagerSecret.Id,
SecretString = "example-string-to-protect",
});
});package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/secretsmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := secretsmanager.NewSecretVersion(ctx, "example", &secretsmanager.SecretVersionArgs{
SecretId: pulumi.Any(exampleAwsSecretsmanagerSecret.Id),
SecretString: pulumi.String("example-string-to-protect"),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.secretsmanager.SecretVersion;
import com.pulumi.aws.secretsmanager.SecretVersionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new SecretVersion("example", SecretVersionArgs.builder()
.secretId(exampleAwsSecretsmanagerSecret.id())
.secretString("example-string-to-protect")
.build());
}
}resources:
example:
type: aws:secretsmanager:SecretVersion
properties:
secretId: ${exampleAwsSecretsmanagerSecret.id}
secretString: example-string-to-protectKey-Value Pairs
Secrets Manager also accepts key-value pairs in JSON.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const config = new pulumi.Config();
const example = config.getObject<Record<string, string>>("example") || {
key1: "value1",
key2: "value2",
};
const exampleSecretVersion = new aws.secretsmanager.SecretVersion("example", {
secretId: exampleAwsSecretsmanagerSecret.id,
secretString: JSON.stringify(example),
});import pulumi
import json
import pulumi_aws as aws
config = pulumi.Config()
example = config.get_object("example")
if example is None:
example = {
"key1": "value1",
"key2": "value2",
}
example_secret_version = aws.secretsmanager.SecretVersion("example",
secret_id=example_aws_secretsmanager_secret["id"],
secret_string=json.dumps(example))using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var config = new Config();
var example = config.GetObject<Dictionary<string, string>>("example") ??
{
{ "key1", "value1" },
{ "key2", "value2" },
};
var exampleSecretVersion = new Aws.SecretsManager.SecretVersion("example", new()
{
SecretId = exampleAwsSecretsmanagerSecret.Id,
SecretString = JsonSerializer.Serialize(example),
});
});package main
import (
"encoding/json"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/secretsmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cfg := config.New(ctx, "")
example := map[string]interface{}{
"key1": "value1",
"key2": "value2",
}
if param := cfg.GetObject("example"); param != nil {
example = param
}
tmpJSON0, err := json.Marshal(example)
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = secretsmanager.NewSecretVersion(ctx, "example", &secretsmanager.SecretVersionArgs{
SecretId: pulumi.Any(exampleAwsSecretsmanagerSecret.Id),
SecretString: pulumi.String(json0),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.secretsmanager.SecretVersion;
import com.pulumi.aws.secretsmanager.SecretVersionArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
final var example = config.get("example").orElse(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference));
var exampleSecretVersion = new SecretVersion("exampleSecretVersion", SecretVersionArgs.builder()
.secretId(exampleAwsSecretsmanagerSecret.id())
.secretString(serializeJson(
example))
.build());
}
}configuration:
# The map here can come from other supported configurations
# like locals, resource attribute, map() built-in, etc.
example:
type: map(string)
default:
key1: value1
key2: value2
resources:
exampleSecretVersion:
type: aws:secretsmanager:SecretVersion
name: example
properties:
secretId: ${exampleAwsSecretsmanagerSecret.id}
secretString:
fn::toJSON: ${example}Reading key-value pairs from JSON back into a native map
Import
Using pulumi import, import aws_secretsmanager_secret_version using the secret ID and version ID. For example:
$ pulumi import aws:secretsmanager/secretVersion:SecretVersion example 'arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456|xxxxx-xxxxxxx-xxxxxxx-xxxxx'Constructors
Properties
Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secret_string or secret_string_wo is not set. Needs to be encoded to base64.
Specifies text data that you want to encrypt and store in this version of the secret. This is required if secret_binary or secret_string_wo is not set.
Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that's already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.