Question 19099 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

How to create an AWS secret of type other using cdk – Amazon Web Sevices

I am using python with cdk. I have one stack that creates a dynamo db table with a random name in one account and multiple stacks running in other accounts that need to get that randomly generated table name. Due to the limitation of SSM parameters not allowing cross account access, I am using secrets manager instead

Here is my code

secretsmanager.Secret(self, "cdk-generated-secret",
                      secret_name="cdk-generated-secret-name",
                      secret_string_value="{'db-name': str_table_name }"
                      )

This is the error I am getting

type of argument secret_string_value must be one of (aws_cdk.SecretValue, NoneType); got str instead

This is a plain text string and doesn’t need to be encrypted. How to write such a key value string to the secret and then later read it? Is there a way to read the secret values without using the randomly generated suffix?

Tags:

2

Answers


  1. 0

    Secrets manager API everything is encrypted, it does not support unencrypted data like SSM Param store does.

    1. Have or Create customer managed KMS Key.
    2. Change key policy to allow other account to access key.
    3. Use that KMS Key when storing Secret.
    4. Add a policy to secret that allows other account to access.

    AWS Support Article on sharing Secrets across accounts:
    https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/

    Look closely at the costs as secrets manager may not be what you want.

    Login or Signup to reply.
  2. 0

    Use SecretValue.unsafe_plain_text to set a CDK Secret’s plaintext value. The table_name attribute will be resolved to the DynamoDB table’s actual name at deploy time. Key-value pairs can be set with the secret_object_value argument:

    secretsmanager.Secret(
    self,
    "PlaintextKeyValueTableNameSecret",
    secret_object_value={
        "db-name": SecretValue.unsafe_plain_text(table.table_name)
    },
)

    Note: Secrets Manager is a relatively expensive way to share non-secret config.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search