Secrets

Introduction

Secrets allow you to securely store credentials, API Keys and other secrets required by your applications, databases, services, and IT resources.
Secrets are stored within your AWS account using AWS Secrets Manager.

Managing secrets

You can store secrets in 2 ways:
- simple strings, e.g. mypassword
- json objects, such as { "username": "my-username", "password": "my-password" }
Secret names must use only Unicode characters and must be 1 - 512 characters long.
Secret values must be at most 65,536 bytes long.
Stacktape allows you to manage your secrets using CLI commands:

Creating and updating a secret

using secret:create command


Copy
stacktape secret:create --region my-region

You will be prompted to input all the required values.
Updating the secret can be done using the same command. If the secret with the given name already exists, you will be prompted if you want to update it.

Deleting a secret

using secret:delete command


Copy
stacktape secret:delete --region my-region

Getting a secret value

using secret:get command


Copy
stacktape secret:get --region my-region

Referencing secrets

Secrets can be easily referenced within your configuration using a $Secret() directive.


Copy
resources:
  myDatabase:
    type: relational-database
    properties:
      engine:
        type: aurora-postgresql-serverless
      credentials:
        # using a simple string as a secret value, e.g. "my-password"
        masterUserName: $Secret('masterUserName')
        # using an object as a secret value, e.g. "{ password: "my-password" }"
        masterUserPassword: $Secret('databaseCredentials.password')

After you update a secret, all of the already deployed stacks which are using this secret will keep using the old version. In order for the deployed stack to use the new (updated) version of the secret, you need to redeploy the stack.

Pricing

You are charged $0.4 / month for every existing secret