Package software.amazon.awscdk.services.secretsmanager

Class SecretTargetAttachment

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.Resource
software.amazon.awscdk.services.secretsmanager.SecretTargetAttachment
All Implemented Interfaces:
IEnvironmentAware, IResource, ISecret, ISecretTargetAttachment, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
@Generated(value="jsii-pacmak/1.119.0 (build 1634eac)", date="2025-11-20T23:37:30.122Z") @Stability(Stable) public class SecretTargetAttachment extends Resource implements ISecretTargetAttachment, ISecret
An attached secret.

Example: 

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.secretsmanager.*;
 Secret secret;
 ISecretAttachmentTarget secretAttachmentTarget;
 SecretTargetAttachment secretTargetAttachment = SecretTargetAttachment.Builder.create(this, "MySecretTargetAttachment")
         .secret(secret)
         .target(secretAttachmentTarget)
         .build();

  • Field Details

    • PROPERTY_INJECTION_ID

      @Stability(Stable) public static final String PROPERTY_INJECTION_ID
      Uniquely identifies this class.

  • Constructor Details

    • SecretTargetAttachment

      protected SecretTargetAttachment(software.amazon.jsii.JsiiObjectRef objRef)

    • SecretTargetAttachment

      protected SecretTargetAttachment(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • SecretTargetAttachment

      @Stability(Stable) public SecretTargetAttachment(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull SecretTargetAttachmentProps props)
      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      props - This parameter is required.

  • Method Details

    • fromSecretTargetAttachmentSecretArn

      @Stability(Stable) @NotNull public static ISecretTargetAttachment fromSecretTargetAttachmentSecretArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String secretTargetAttachmentSecretArn)
      Parameters:
      scope - This parameter is required.
      id - This parameter is required.
      secretTargetAttachmentSecretArn - This parameter is required.

    • addRotationSchedule

      @Stability(Stable) @NotNull public RotationSchedule addRotationSchedule(@NotNull String id, @NotNull RotationScheduleOptions options)
      Adds a rotation schedule to the secret.

      Specified by:
      addRotationSchedule in interface ISecret
      Parameters:
      id - This parameter is required.
      options - This parameter is required.

    • addToResourcePolicy

      @Stability(Stable) @NotNull public AddToResourcePolicyResult addToResourcePolicy(@NotNull PolicyStatement statement)
      Forward any additions to the resource policy to the original secret.

      This is required because a secret can only have a single resource policy. If we do not forward policy additions, a new policy resource is created using the secret attachment ARN. This ends up being rejected by CloudFormation.

      Specified by:
      addToResourcePolicy in interface ISecret
      Parameters:
      statement - This parameter is required.

    • attach

      @Stability(Stable) @NotNull public ISecret attach(@NotNull ISecretAttachmentTarget target)
      Attach a target to this secret.

      Specified by:
      attach in interface ISecret
      Parameters:
      target - The target to attach. This parameter is required.
      Returns:
      An attached secret

    • cfnDynamicReferenceKey

      @Stability(Stable) @NotNull public String cfnDynamicReferenceKey(@Nullable SecretsManagerSecretOptions options)
      Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this secret from AWS Secrets Manager.

      Specified by:
      cfnDynamicReferenceKey in interface ISecret
      Parameters:
      options - Options.
      See Also:

    • cfnDynamicReferenceKey

      @Stability(Stable) @NotNull public String cfnDynamicReferenceKey()
      Returns a key which can be used within an AWS CloudFormation dynamic reference to dynamically load this secret from AWS Secrets Manager.

      Specified by:
      cfnDynamicReferenceKey in interface ISecret
      See Also:

    • denyAccountRootDelete

      @Stability(Stable) public void denyAccountRootDelete()
      Denies the DeleteSecret action to all principals within the current account.
      Specified by:
      denyAccountRootDelete in interface ISecret

    • grantRead

      @Stability(Stable) @NotNull public Grant grantRead(@NotNull IGrantable grantee, @Nullable List<String> versionStages)
      Grants reading the secret value to some role.

      Specified by:
      grantRead in interface ISecret
      Parameters:
      grantee - This parameter is required.
      versionStages -

    • grantRead

      @Stability(Stable) @NotNull public Grant grantRead(@NotNull IGrantable grantee)
      Grants reading the secret value to some role.

      Specified by:
      grantRead in interface ISecret
      Parameters:
      grantee - This parameter is required.

    • grantWrite

      @Stability(Stable) @NotNull public Grant grantWrite(@NotNull IGrantable grantee)
      Grants writing and updating the secret value to some role.

      Specified by:
      grantWrite in interface ISecret
      Parameters:
      grantee - This parameter is required.

    • secretValueFromJson

      @Stability(Stable) @NotNull public SecretValue secretValueFromJson(@NotNull String jsonField)
      Interpret the secret as a JSON object and return a field's value from it as a SecretValue.

      Specified by:
      secretValueFromJson in interface ISecret
      Parameters:
      jsonField - This parameter is required.

    • getArnForPolicies

      @Stability(Stable) @NotNull protected String getArnForPolicies()
      Provides an identifier for this secret for use in IAM policies.

      If there is a full ARN, this is just the ARN; if we have a partial ARN -- due to either importing by secret name or partial ARN -- then we need to add a suffix to capture the full ARN's format.

    • getAutoCreatePolicy

      @Stability(Stable) @NotNull protected Boolean getAutoCreatePolicy()

    • getSecretArn

      @Stability(Stable) @NotNull public String getSecretArn()
      The ARN of the secret in AWS Secrets Manager.

      Will return the full ARN if available, otherwise a partial arn. For secrets imported by the deprecated fromSecretName, it will return the secretName.

      Specified by:
      getSecretArn in interface ISecret

    • getSecretName

      @Stability(Stable) @NotNull public String getSecretName()
      The name of the secret.

      For "owned" secrets, this will be the full resource name (secret name + suffix), unless the '@aws-cdk/aws-secretsmanager:parseOwnedSecretName' feature flag is set.

      Specified by:
      getSecretName in interface ISecret

    • getSecretTargetAttachmentSecretArn

      @Stability(Stable) @NotNull public String getSecretTargetAttachmentSecretArn()
      Same as secretArn.
      Specified by:
      getSecretTargetAttachmentSecretArn in interface ISecretTargetAttachment

    • getSecretValue

      @Stability(Stable) @NotNull public SecretValue getSecretValue()
      Retrieve the value of the stored secret as a SecretValue.
      Specified by:
      getSecretValue in interface ISecret

    • getEncryptionKey

      @Stability(Stable) @Nullable public IKey getEncryptionKey()
      The customer-managed encryption key that is used to encrypt this secret, if any.

      When not specified, the default KMS key for the account and region is being used.

      Specified by:
      getEncryptionKey in interface ISecret

    • getSecretFullArn

      @Stability(Stable) @Nullable public String getSecretFullArn()
      The full ARN of the secret in AWS Secrets Manager, which is the ARN including the Secrets Manager-supplied 6-character suffix.

      This is equal to secretArn in most cases, but is undefined when a full ARN is not available (e.g., secrets imported by name).

      Specified by:
      getSecretFullArn in interface ISecret