{"id":9526,"library":"aws-cdk-aws-secretsmanager","title":"AWS CDK AWS Secrets Manager (v1)","description":"The `aws-cdk-aws-secretsmanager` package provides AWS Cloud Development Kit (CDK) constructs for defining and managing AWS Secrets Manager resources. This package is part of the AWS CDK v1 ecosystem, allowing developers to provision secrets, configure their rotation, and manage access policies using Python. AWS CDK generally follows a frequent release cadence, often coinciding with new AWS service features. The current version, 1.204.0, is specific to CDK v1.","status":"active","version":"1.204.0","language":"en","source_language":"en","source_url":"https://github.com/aws/aws-cdk.git","tags":["aws","cdk","cloud","iac","secrets","secretsmanager","security"],"install":[{"cmd":"pip install aws-cdk.core aws-cdk.aws-secretsmanager","lang":"bash","label":"Install for AWS CDK v1"},{"cmd":"pip install aws-cdk-lib","lang":"bash","note":"For CDK v2, Secrets Manager constructs are part of `aws-cdk-lib`.","label":"Install for AWS CDK v2 (recommended for new projects)"}],"dependencies":[{"reason":"Required for all AWS CDK v1 applications to function as the core construct library.","package":"aws-cdk.core"}],"imports":[{"note":"In AWS CDK v1, service constructs modules are prefixed with `aws_` (e.g., `aws_secretsmanager`), not just the service name.","wrong":"from aws_cdk import secretsmanager","symbol":"Secret","correct":"from aws_cdk import aws_secretsmanager\n# or\nfrom aws_cdk.aws_secretsmanager import Secret"}],"quickstart":{"code":"from aws_cdk import App, Stack, aws_secretsmanager as secretsmanager\nfrom constructs import Construct\n\nclass MySecretsStack(Stack):\n def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:\n super().__init__(scope, construct_id, **kwargs)\n\n # Define a new secret with a generated password\n my_app_secret = secretsmanager.Secret(self, \"MyAppSecret\",\n description=\"A secret for my application\",\n generate_secret_string=secretsmanager.SecretStringGenerator(\n password_length=20,\n exclude_characters='@/\" '\n )\n )\n\n # You can also define a secret with a specific value (e.g., loaded from env var)\n # Note: Avoid hardcoding sensitive values directly\n # my_static_secret = secretsmanager.Secret(self, \"MyStaticSecret\",\n # secret_string=\"my-super-secret-value\"\n # )\n\n # To reference the secret ARN, for example, for a policy or output\n # print(f\"Secret ARN: {my_app_secret.secret_arn}\")\n\napp = App()\nMySecretsStack(app, \"MySecretsStackExample\")\napp.synth()","lang":"python","description":"This quickstart demonstrates how to define a new secret using `aws-cdk.aws-secretsmanager`. It creates a secret with a generated random password, which is a common pattern for database credentials or API keys. Remember that sensitive values should not be hardcoded directly into your CDK code."},"warnings":[{"fix":"For new projects, use `aws-cdk-lib` and its corresponding import paths (e.g., `from aws_cdk import aws_secretsmanager`). For existing v1 projects, refer to the AWS CDK migration guide for upgrading to v2.","message":"AWS CDK v1 (`aws-cdk.aws-secretsmanager`) is a separate major version from AWS CDK v2 (`aws-cdk-lib`). V1 packages are not compatible with V2. New projects should generally start with V2.","severity":"breaking","affected_versions":"All v1.x.x versions when migrating to v2.x.x"},{"fix":"Use `secret.secret_value.to_string()` or `secret.secret_value.unsafe_unwrap()` when passing the value to other CloudFormation resources (e.g., environment variables for Lambda). For runtime retrieval, your application code (e.g., Lambda, EC2) must use the AWS SDK to fetch the secret's value by its ARN or name.","message":"Retrieving secret values in plaintext requires careful handling. `secret.secret_value` returns a token (e.g., `CfnDynamicReference`), not the actual plaintext value, during synthesis. To use the value, you often need `secret.secret_value.to_string()` for CloudFormation parameters, or you must retrieve it at application runtime.","severity":"gotcha","affected_versions":"All v1.x.x versions"},{"fix":"Ensure the required Lambda function, IAM roles, and permissions are correctly set up and associated with the secret's rotation schedule. Refer to the AWS CDK documentation for specific service integration examples (e.g., `Secret.add_rotation_schedule()` and `RotationSchedule.add_target()`).","message":"Configuring automatic secret rotation for services like RDS, Redshift, or DocumentDB requires a custom Lambda function and appropriate permissions, which need to be explicitly defined in your CDK stack. The `add_rotation_schedule` method helps but still relies on these underlying resources.","severity":"gotcha","affected_versions":"All v1.x.x versions"}],"env_vars":null,"last_verified":"2026-04-17T00:00:00.000Z","next_check":"2026-07-16T00:00:00.000Z","problems":[{"fix":"Ensure you have `aws-cdk.core` and `aws-cdk.aws-secretsmanager` installed for v1: `pip install aws-cdk.core aws-cdk.aws-secretsmanager`. If you intend to use v2, switch to `aws-cdk-lib` and update your import statements (e.g., `from aws_cdk import aws_secretsmanager`).","cause":"The `aws-cdk.aws-secretsmanager` package has not been installed, or you are trying to use v1 import paths with a v2 (`aws-cdk-lib`) installation.","error":"ModuleNotFoundError: No module named 'aws_cdk.aws_secretsmanager'"},{"fix":"Verify your `pip freeze` output to confirm the installed CDK version. If on v2, use `from aws_cdk import aws_secretsmanager` and access `secretsmanager.Secret`. If on v1, ensure the `aws-cdk.aws-secretsmanager` package is installed and your imports are correct as shown in the quickstart.","cause":"You likely have AWS CDK v2 (`aws-cdk-lib`) installed but are attempting to use import syntax or class names from AWS CDK v1, or there's a typo in the class name.","error":"AttributeError: module 'aws_cdk.aws_secretsmanager' has no attribute 'Secret'"},{"fix":"When referencing secret values for CloudFormation properties, use the appropriate method to convert the secret value token: `my_secret.secret_value.to_string()` or `my_secret.secret_value_from_json('username').to_string()` for specific JSON fields.","cause":"You are attempting to pass a raw string directly to a CDK construct property that expects a secret token or reference (e.g., `secret.secret_value.to_string()`).","error":"TypeError: Expected token, got "}]}