AWS Fundamentals Logo
AWS Fundamentals
AWS::SecretsManager::Secret

SecretsManager Secret

Creates a new secret. A *secret* can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager. For RDS master user credentials, see [AWS::RDS::DBCluster MasterUserSecret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html). For RS admin user credentials, see [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloud...

Properties

8 configurable properties. Click a row to see details.

Filter:
PropertyTypeFlags
Description
string
GenerateSecretString
GenerateSecretString
Write-only
KmsKeyId
string
Name
string
Create-only
ReplicaRegions
Array<ReplicaRegion>
SecretString
string
Write-only
Tags
Array<Tag>
Type
string

Return Values

Values returned after the resource is created. Access these with Fn::GetAtt.

AttributeTypeDescription
Idstring-

Sample CloudFormation Template

A minimal template with required properties and common optional ones.

template.yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample template for AWS::SecretsManager::Secret

Resources:
  MyResource:
    Type: AWS::SecretsManager::Secret
    Properties:
      Tags:
        - Key: Environment
          Value: Production
      Description: !Ref "AWS::StackName"
      Name: !Ref "AWS::StackName"

Required IAM Permissions

Permissions CloudFormation needs in your IAM role to manage this resource.

create

secretsmanager:DescribeSecretsecretsmanager:GetRandomPasswordsecretsmanager:CreateSecretsecretsmanager:TagResourcesecretsmanager:ReplicateSecretToRegions

delete

secretsmanager:DeleteSecretsecretsmanager:DescribeSecretsecretsmanager:RemoveRegionsFromReplication

list

secretsmanager:ListSecrets

read

secretsmanager:DescribeSecretsecretsmanager:GetSecretValue

update

secretsmanager:UpdateSecretsecretsmanager:TagResourcesecretsmanager:UntagResourcesecretsmanager:GetRandomPasswordsecretsmanager:GetSecretValuesecretsmanager:ReplicateSecretToRegionssecretsmanager:RemoveRegionsFromReplication

Learn AWS the Practical Way

Our bi-weekly newsletter teaches hands-on AWS fundamentals. No certification fluff - just practical knowledge.

Subscribe to Newsletter

Quick Facts

ServiceSecretsManager
Properties9
Required0
TaggingSupported
Primary IDId

Supported Operations

CreateDeleteListReadUpdate

Immutable After Creation

These properties cannot be changed after the resource is created. Updating them triggers a replacement.

Name

Related Resources

External Links