Skip to content

Data Source: awsSecretsmanagerSecretVersion

Retrieve information about a Secrets Manager secret version, including its secret value. To retrieve secret metadata, see the awsSecretsmanagerSecret data source.

Example Usage

Retrieve Current Secret Version

By default, this data sources retrieves information based on the awscurrent staging label.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsSecretsmanagerSecretVersion.DataAwsSecretsmanagerSecretVersion(
  this,
  "secret-version",
  {
    secretId: "${data.aws_secretsmanager_secret.example.id}",
  }
);

Retrieve Specific Secret Version

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsSecretsmanagerSecretVersion.DataAwsSecretsmanagerSecretVersion(
  this,
  "by-version-stage",
  {
    secretId: "${data.aws_secretsmanager_secret.example.id}",
    versionStage: "example",
  }
);

Handling Key-Value Secret Strings in JSON

Reading key-value pairs from JSON back into a native Terraform map can be accomplished in Terraform 0.12 and later with the jsondecode() function:

import * as cdktf from "cdktf";
new cdktf.TerraformOutput(this, "example", {
  value:
    '${jsondecode(data.aws_secretsmanager_secret_version.example.secret_string)["key1"]}',
});

Argument Reference

  • secretId - (Required) Specifies the secret containing the version that you want to retrieve. You can specify either the ARN or the friendly name of the secret.
  • versionId - (Optional) Specifies the unique identifier of the version of the secret that you want to retrieve. Overrides versionStage.
  • versionStage - (Optional) Specifies the secret version that you want to retrieve by the staging label attached to the version. Defaults to awscurrent.

Attributes Reference

  • arn - ARN of the secret.
  • id - Unique identifier of this version of the secret.
  • secretString - Decrypted part of the protected secret information that was originally provided as a string.
  • secretBinary - Decrypted part of the protected secret information that was originally provided as a binary.
  • versionId - Unique identifier of this version of the secret.