import * as kms from "aws-cdk-lib/aws-kms";
import { ISecret } from "aws-cdk-lib/aws-secretsmanager";
import { Construct } from "constructs";
import { IDatabase } from "./database";
import { IProvider } from "./provider";
export interface RoleProps {
    /**
     * Provider.
     */
    readonly provider: IProvider;
    /**
     * SQL.
     */
    readonly roleName: string;
    /**
     * Optional database this user is expected to use.
     *
     * If the database exists, connect privileges are granted.
     *
     * Specify one of `database` or `databaseName`. This is the name
     * that will be stored in the role's secret as the database name to
     * use.
     */
    readonly database?: IDatabase;
    /**
     * Optional database name this user is expected to use.
     *
     * If the database exists, connect privileges are granted.
     *
     * Specify one of `database` or `databaseName`. This is the name
     * that will be stored in the role's secret as the database name to
     * use.
     */
    readonly databaseName?: string;
    /**
     * A new secret is created for this user.
     *
     * Optionally encrypt it with the given key.
     */
    readonly encryptionKey?: kms.IKey;
    /**
     * A new secret is created for this user.
     *
     * Optionally add secret name to the secret.
     */
    readonly secretName?: string;
    /**
     * Prefix for SSM parameters to store credentials in Parameter Store.
     * When defined, credentials will also be stored as parameters.
     *
     * The parameter names such as "password" is simply appended to
     * `parameterPrefix`, so make sure the prefix ends with a slash if
     *  you have your parameter names slash separated.
     *
     * Note that the password from the secret is copied just once, they
     * are not kept in sync.
     *
     * @default - credentials are only stored in Secrets Manager
     */
    readonly parameterPrefix?: string;
    /**
     * Enable IAM authentication for this role.
     *
     * When enabled, the role will be created without a password and
     * configured for AWS IAM database authentication. No secret will
     * be created for this role.
     *
     * Note: For DSQL clusters, this property is ignored as DSQL always
     * uses IAM authentication.
     *
     * @default false - use password authentication
     */
    readonly enableIamAuth?: boolean;
}
export declare class Role extends Construct {
    /**
     * The role name.
     */
    readonly roleName: string;
    /**
     * The generated secret containing connection information and password.
     *
     * This is only available when:
     * - The provider is not a DSQL cluster (DSQL uses IAM authentication)
     * - `enableIamAuth` is not set to `true`
     *
     * When using IAM authentication, no secret is created as the password
     * is generated dynamically using IAM credentials.
     */
    readonly secret?: ISecret;
    constructor(scope: Construct, id: string, props: RoleProps);
}