secret
Gets an individual secret resource
Overview
| Name | secret |
| Type | Resource |
| Description | secret |
| Id | awscc.secretsmanager.secret |
Fields
| Name | Datatype | Description |
|---|---|---|
description | string | The description of the secret. |
kms_key_id | string | The ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by ``alias/``, for example ``alias/aws/secretsmanager``. For more information, see [About aliases](https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html).<br/> To use a KMS key in a different account, use the key ARN or the alias ARN.<br/> If you don't specify this value, then Secrets Manager uses the key ``aws/secretsmanager``. If that key doesn't yet exist, then Secrets Manager creates it for you automatically the first time it encrypts the secret value.<br/> If the secret is in a different AWS account from the credentials calling the API, then you can't use ``aws/secretsmanager`` to encrypt the secret, and you must create and use a customer managed KMS key. |
secret_string | string | The text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use ``GenerateSecretString`` instead. If you omit both ``GenerateSecretString`` and ``SecretString``, you create an empty secret. When you make a change to this property, a new secret version is created. |
generate_secret_string | object | A structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use ``SecretString`` instead. If you omit both ``GenerateSecretString`` and ``SecretString``, you create an empty secret. When you make a change to this property, a new secret version is created.<br/> We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support. |
replica_regions | array | A custom type that specifies a ``Region`` and the ``KmsKeyId`` for a replica secret. |
id | string | |
tags | array | A list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example:<br/> ``[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]`` <br/> Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc".<br/> Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. <br/> If you check tags in permissions policies as part of your security strategy, then adding or removing a tag can change permissions. If the completion of this operation would result in you losing your permissions for this secret, then Secrets Manager blocks the operation and returns an ``Access Denied`` error. For more information, see [Control access to secrets using tags](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac) and [Limit access to identities with tags that match secrets' tags](https://docs.aws.amazo |
name | string | The name of the new secret.<br/> The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@-<br/> Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN. |
region | string | AWS region. |
Methods
Currently only SELECT is supported for this resource resource.
Example
SELECT
region,
description,
kms_key_id,
secret_string,
generate_secret_string,
replica_regions,
id,
tags,
name
FROM awscc.secretsmanager.secret
WHERE data__Identifier = '<Id>';
Permissions
To operate on the secret resource, the following permissions are required:
Delete
secretsmanager:DeleteSecret,
secretsmanager:DescribeSecret,
secretsmanager:RemoveRegionsFromReplication
Read
secretsmanager:DescribeSecret,
secretsmanager:GetSecretValue
Update
secretsmanager:UpdateSecret,
secretsmanager:TagResource,
secretsmanager:UntagResource,
secretsmanager:GetRandomPassword,
secretsmanager:GetSecretValue,
secretsmanager:ReplicateSecretToRegions,
secretsmanager:RemoveRegionsFromReplication