Secret
The cloud.Secret class represents a secret value (like an API key, certificate, etc.) that is securely stored in the cloud.
Secrets are encrypted at rest and in transit, and are only decrypted when they are used in a task. Storing a secret allows you to use the value in different compute tasks while only having to rotate or revoke it in one place.
You can use the wing secrets command to store secrets in the target platform.
Usage
Defining a secret
bring cloud;
let secret = new cloud.Secret(
name: "my-secret", // optional, defaults to a generated name
);
Before deploying your application, you will be expected to store the secret value in a secure place according to the target-specific instructions below.
Retrieving secret values
bring cloud;
let secret = new cloud.Secret(
name: "my-api-key",
);
new cloud.Function(inflight () => {
let secretValue = secret.value(); // retrieve the secret as a `str` value
let secretValueAsJson = secret.valueJson(); // retrieve the secret as a `Json` value
});
Target-specific details
Simulator (sim)
When using a secret in Wing's simulator, a secrets file must be added to your project in a file called: .env.
The simulator will look up secrets in this file by their name.
Secrets should be saved in a key=value format:
// .env
my-api-key=1234567890
secret-key=secret-value
AWS (tf-aws and awscdk)
AWS implementations of cloud.Secret use AWS Secrets Manager.
Before deploying your application, you must create a secret in the AWS account with the same name as the secret in your Wing application.
You can do this using the AWS CLI:
aws secretsmanager create-secret --name my-api-key --secret-string 1234567890
It's also possible to create a secret using the AWS console. See AWS documentation for more details.
Azure (tf-azure)
🚧 Not supported yet (tracking issue: #2178)
GCP (tf-gcp)
🚧 Not supported yet (tracking issue: #2179)
API Reference
Secret
A cloud secret.
Initializers
bring cloud;
new cloud.Secret(props?: SecretProps);
| Name | Type | Description |
|---|---|---|
| | No description. |
propsOptional
- Type: SecretProps
Methods
Inflight Methods
| Name | Description |
|---|---|
| Retrieve the value of the secret. |
| Retrieve the Json value of the secret. |
value
inflight value(options?: GetSecretValueOptions): str
Retrieve the value of the secret.
optionsOptional
- Type: GetSecretValueOptions
valueJson
inflight valueJson(options?: GetSecretValueOptions): Json
Retrieve the Json value of the secret.
optionsOptional
- Type: GetSecretValueOptions
Static Functions
| Name | Description |
|---|---|
| A hook called by the Wing compiler once for each inflight host that needs to use this type inflight. |
| Generates an asynchronous JavaScript statement which can be used to create an inflight client for a resource. |
onLiftType
bring cloud;
cloud.Secret.onLiftType(host: IInflightHost, ops: MutArray<str>);
A hook called by the Wing compiler once for each inflight host that needs to use this type inflight.
The list of requested inflight methods
needed by the inflight host are given by ops.
This method is commonly used for adding permissions, environment variables, or other capabilities to the inflight host.
hostRequired
- Type: IInflightHost
opsRequired
- Type: MutArray<str>
toInflight
bring cloud;
cloud.Secret.toInflight(obj: IResource);
Generates an asynchronous JavaScript statement which can be used to create an inflight client for a resource.
NOTE: This statement must be executed within an async context.
objRequired
- Type: IResource
Properties
| Name | Type | Description |
|---|---|---|
| constructs.Node | The tree node. |
| str | Get secret name. |
nodeRequired
node: Node;
- Type: constructs.Node
The tree node.
nameOptional
name: str;
- Type: str
Get secret name.
Structs
GetSecretValueOptions
Options when getting a secret value.
Initializer
bring cloud;
let GetSecretValueOptions = cloud.GetSecretValueOptions{ ... };
Properties
| Name | Type | Description |
|---|---|---|
| bool | Whether to cache the value. |
cacheOptional
cache: bool;
- Type: bool
- Default: true
Whether to cache the value.
SecretProps
Options for Secret.
Initializer
bring cloud;
let SecretProps = cloud.SecretProps{ ... };
Properties
| Name | Type | Description |
|---|---|---|
| str | The secret's name. |
nameOptional
name: str;
- Type: str
- Default: a new secret is provisioned with a generated name
The secret's name.
If no name is provided then a new secret is provisioned in the target. If a name is provided then the resource will reference an existing secret in the target.