1 | import { CfnDynamicReference } from './cfn-dynamic-reference';
|
2 | import { CfnParameter } from './cfn-parameter';
|
3 | import { Intrinsic, IntrinsicProps } from './private/intrinsic';
|
4 | import { IResolveContext } from './resolvable';
|
5 | /**
|
6 | * Work with secret values in the CDK
|
7 | *
|
8 | * Constructs that need secrets will declare parameters of type `SecretValue`.
|
9 | *
|
10 | * The actual values of these secrets should not be committed to your
|
11 | * repository, or even end up in the synthesized CloudFormation template. Instead, you should
|
12 | * store them in an external system like AWS Secrets Manager or SSM Parameter
|
13 | * Store, and you can reference them by calling `SecretValue.secretsManager()` or
|
14 | * `SecretValue.ssmSecure()`.
|
15 | *
|
16 | * You can use `SecretValue.unsafePlainText()` to construct a `SecretValue` from a
|
17 | * literal string, but doing so is highly discouraged.
|
18 | *
|
19 | * To make sure secret values don't accidentally end up in readable parts
|
20 | * of your infrastructure definition (such as the environment variables
|
21 | * of an AWS Lambda Function, where everyone who can read the function
|
22 | * definition has access to the secret), using secret values directly is not
|
23 | * allowed. You must pass them to constructs that accept `SecretValue`
|
24 | * properties, which are guaranteed to use the value only in CloudFormation
|
25 | * properties that are write-only.
|
26 | *
|
27 | * If you are sure that what you are doing is safe, you can call
|
28 | * `secretValue.unsafeUnwrap()` to access the protected string of the secret
|
29 | * value.
|
30 | *
|
31 | * (If you are writing something like an AWS Lambda Function and need to access
|
32 | * a secret inside it, make the API call to `GetSecretValue` directly inside
|
33 | * your Lamba's code, instead of using environment variables.)
|
34 | */
|
35 | export declare class SecretValue extends Intrinsic {
|
36 | /**
|
37 | * Test whether an object is a SecretValue
|
38 | */
|
39 | static isSecretValue(x: any): x is SecretValue;
|
40 | /**
|
41 | * Construct a literal secret value for use with secret-aware constructs
|
42 | *
|
43 | * Do not use this method for any secrets that you care about! The value
|
44 | * will be visible to anyone who has access to the CloudFormation template
|
45 | * (via the AWS Console, SDKs, or CLI).
|
46 | *
|
47 | * The only reasonable use case for using this method is when you are testing.
|
48 | *
|
49 | * @deprecated Use `unsafePlainText()` instead.
|
50 | */
|
51 | static plainText(secret: string): SecretValue;
|
52 | /**
|
53 | * Construct a literal secret value for use with secret-aware constructs
|
54 | *
|
55 | * Do not use this method for any secrets that you care about! The value
|
56 | * will be visible to anyone who has access to the CloudFormation template
|
57 | * (via the AWS Console, SDKs, or CLI).
|
58 | *
|
59 | * The only reasonable use case for using this method is when you are testing.
|
60 | */
|
61 | static unsafePlainText(secret: string): SecretValue;
|
62 | /**
|
63 | * Creates a `SecretValue` with a value which is dynamically loaded from AWS Secrets Manager.
|
64 | * @param secretId The ID or ARN of the secret
|
65 | * @param options Options
|
66 | */
|
67 | static secretsManager(secretId: string, options?: SecretsManagerSecretOptions): SecretValue;
|
68 | /**
|
69 | * Use a secret value stored from a Systems Manager (SSM) parameter.
|
70 | *
|
71 | * @param parameterName The name of the parameter in the Systems Manager
|
72 | * Parameter Store. The parameter name is case-sensitive.
|
73 | *
|
74 | * @param version An integer that specifies the version of the parameter to
|
75 | * use. If you don't specify the exact version, AWS CloudFormation uses the
|
76 | * latest version of the parameter.
|
77 | */
|
78 | static ssmSecure(parameterName: string, version?: string): SecretValue;
|
79 | /**
|
80 | * Obtain the secret value through a CloudFormation dynamic reference.
|
81 | *
|
82 | * If possible, use `SecretValue.ssmSecure` or `SecretValue.secretsManager` directly.
|
83 | *
|
84 | * @param ref The dynamic reference to use.
|
85 | */
|
86 | static cfnDynamicReference(ref: CfnDynamicReference): SecretValue;
|
87 | /**
|
88 | * Obtain the secret value through a CloudFormation parameter.
|
89 | *
|
90 | * Generally, this is not a recommended approach. AWS Secrets Manager is the
|
91 | * recommended way to reference secrets.
|
92 | *
|
93 | * @param param The CloudFormation parameter to use.
|
94 | */
|
95 | static cfnParameter(param: CfnParameter): SecretValue;
|
96 | /**
|
97 | * Use a resource's output as secret value
|
98 | */
|
99 | static resourceAttribute(attr: string): SecretValue;
|
100 | private readonly rawValue;
|
101 | /**
|
102 | * Construct a SecretValue (do not use!)
|
103 | *
|
104 | * Do not use the constructor directly: use one of the factory functions on the class
|
105 | * instead.
|
106 | */
|
107 | constructor(protectedValue: any, options?: IntrinsicProps);
|
108 | /**
|
109 | * Disable usage protection on this secret
|
110 | *
|
111 | * Call this to indicate that you want to use the secret value held by this
|
112 | * object in an unchecked way. If you don't call this method, using the secret
|
113 | * value directly in a string context or as a property value somewhere will
|
114 | * produce an error.
|
115 | *
|
116 | * This method has 'unsafe' in the name on purpose! Make sure that the
|
117 | * construct property you are using the returned value in is does not end up
|
118 | * in a place in your AWS infrastructure where it could be read by anyone
|
119 | * unexpected.
|
120 | *
|
121 | * When in doubt, don't call this method and only pass the object to constructs that
|
122 | * accept `SecretValue` parameters.
|
123 | */
|
124 | unsafeUnwrap(): string;
|
125 | /**
|
126 | * Resolve the secret
|
127 | *
|
128 | * If the feature flag is not set, resolve as normal. Otherwise, throw a descriptive
|
129 | * error that the usage guard is missing.
|
130 | */
|
131 | resolve(context: IResolveContext): any;
|
132 | }
|
133 | /**
|
134 | * Options for referencing a secret value from Secrets Manager.
|
135 | */
|
136 | export interface SecretsManagerSecretOptions {
|
137 | /**
|
138 | * Specifies the secret version that you want to retrieve by the staging label attached to the version.
|
139 | *
|
140 | * Can specify at most one of `versionId` and `versionStage`.
|
141 | *
|
142 | * @default AWSCURRENT
|
143 | */
|
144 | readonly versionStage?: string;
|
145 | /**
|
146 | * Specifies the unique identifier of the version of the secret you want to use.
|
147 | *
|
148 | * Can specify at most one of `versionId` and `versionStage`.
|
149 | *
|
150 | * @default AWSCURRENT
|
151 | */
|
152 | readonly versionId?: string;
|
153 | /**
|
154 | * The key of a JSON field to retrieve. This can only be used if the secret
|
155 | * stores a JSON object.
|
156 | *
|
157 | * @default - returns all the content stored in the Secrets Manager secret.
|
158 | */
|
159 | readonly jsonField?: string;
|
160 | }
|