Skip to content

Data Source: awsKmsSecrets

Decrypt multiple secrets from data encrypted with the AWS KMS service.

\~> NOTE: Using this data provider will allow you to conceal secret data within your resource definitions but does not take care of protecting that data in all Terraform logging and state output. Please take care to secure your secret data beyond just the Terraform configuration.

Example Usage

If you do not already have a ciphertextBlob from encrypting a KMS secret, you can use the below commands to obtain one using the AWS CLI kms encrypt command. This requires you to have your AWS CLI setup correctly and replace the keyId with your own. Alternatively you can use plaintext 'masterPassword' (CLIv1) or plaintextFileb://<(echoN 'masterPassword') (CLIv2) instead of reading from a file.

-> If you have a newline character at the end of your file, it will be decrypted with this newline character intact. For most use cases this is undesirable and leads to incorrect passwords or invalid values, as well as possible changes in the plan. Be sure to use echoN if necessary. -> If you are using asymmetric keys ensure you are using the right encryption algorithm when you encrypt and decrypt else you will get IncorrectKeyException during the decrypt phase.

$ echo -n 'master-password' > plaintext-password
$ aws kms encrypt --key-id ab123456-c012-4567-890a-deadbeef123 --plaintext fileb://plaintext-password --encryption-context foo=bar --output text --query CiphertextBlob
AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==
$ aws kms encrypt --key-id ab123456-c012-4567-890a-deadbeef123 --plaintext fileb://plaintext-password --encryption-algorithm RSAES_OAEP_SHA_256 --output text --query CiphertextBlob
AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==

That encrypted output can now be inserted into Terraform configurations without exposing the plaintext secret directly.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsKmsSecretsExample = new aws.dataAwsKmsSecrets.DataAwsKmsSecrets(
  this,
  "example",
  {
    secret: [
      {
        context: [
          {
            foo: "bar",
          },
        ],
        name: "master_password",
        payload:
          "AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==",
      },
      {
        name: "master_username",
        payload:
          "AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==",
      },
    ],
  }
);
const awsRdsClusterExample = new aws.rdsCluster.RdsCluster(this, "example_1", {
  masterPassword: `\${${dataAwsKmsSecretsExample.plaintext.fqn}["master_password"]}`,
  masterUsername: `\${${dataAwsKmsSecretsExample.plaintext.fqn}["master_username"]}`,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRdsClusterExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • secret - (Required) One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.

Secret Definitions

Each secret supports the following arguments:

  • name - (Required) Name to export this secret under in the attributes.
  • payload - (Required) Base64 encoded payload, as returned from a KMS encrypt operation.
  • context - (Optional) An optional mapping that makes up the Encryption Context for the secret.
  • grantTokens (Optional) An optional list of Grant Tokens for the secret.
  • encryptionAlgorithm - (Optional) The encryption algorithm that will be used to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key. Valid Values: SYMMETRIC_DEFAULT | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256 | SM2PKE
  • keyId (Optional) Specifies the KMS key that AWS KMS uses to decrypt the ciphertext. This parameter is required only when the ciphertext was encrypted under an asymmetric KMS key.

For more information on context and grantTokens see the KMS Concepts

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • plaintext - Map containing each secret name as the key with its decrypted plaintext value