'How to retrieve SecretsManager secret in AWS CDK

I'm setting up a Fargate service in AWS using CDK

const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(
    this,
    'FargateService',
    {
        vpc: ...,
        taskImageOptions: {
            image: ...,
            containerPort: ...,
            secrets: {
                MY_ENV_VAR: Secret.fromSecretsManager(
                    **ISecret**,
                    'fieldWithinTheSecret'
                ),
            }
        }
    }
)

How am I supposed to get hold of the ISecret instance given the name of the secret?

I've looked at the AWS.SecretsManager from the AWS SDK, but it only returns strings.

aws-cdkaws-secrets-manager


Solution 1:[1]

Currently there is no Secret.fromSecretName-method. Assuming that you are using an existing secret, you should use the Secret.fromSecretArn-method.

Note that if you use a KMS key, you should use the Secret.fromSecretAttributes-method as described at Get a value from AWS secrets manager.

import * as ecs from "@aws-cdk/aws-ecs";
import * as ecs_patterns from "@aws-cdk/aws-ecs-patterns";
import * as secretsmanager from "@aws-cdk/aws-secretsmanager";

const mySecret = secretsmanager.Secret.fromSecretArn(this, "mySecret", "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>");

const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(
    this,
    'FargateService',
    {
        vpc: ...,
        taskImageOptions: {
            image: ...,
            containerPort: ...,
            secrets: {
                MY_ENV_VAR: ecs.Secret.fromSecretsManager(mySecret),
            }
        }
    }
);

Solution 2:[2]

The updated one with CDK version 2 You can refer to a secret either with Secret.fromSecretNameV2() and retrieve a particular secret value using Secret.secretValueFromJson('keyname').toString(); Refer to the code snippet below

const appSecret = Secret.fromSecretNameV2(this,'app-secret',"secret-name");
const value1 = appSecret.secretValueFromJson('KeyName1').toString();
const value2 = appSecret.secretValueFromJson('KeyName2').toString();

The best thing is, you can use this secret value anywhere like Cognito Secrets, and it will not hardcode the secret value in your cloud formation stack. Instead, it will use a token and it will be resolved to the value when it is deployed.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 Abinash

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function