logoStacktape docs




Secrets

Introduction

  • Secrets allow you to securely store credentials, API Keys and other secrets required by your applications, databases, services, and IT resources.
  • Secrets are stored within your AWS account using AWS secret manager.

Managing secrets

  • You can store secrets either as simple strings, e.g. mypassword or hierarchical objects { username: "username", password: "mypassword" }
  • Secret names must use only Unicode characters and must be 1 - 512 characters long.
  • Secret values must be at most 65,536 bytes long.
  • Stacktape allows you to manage your secrets using CLI commands:

Creating and updating a secret

  • using secret-create command
stacktape secret-create --region my-region
  • You will be prompted to input all the required values.
  • Updating the secret can be done using the same command. If the secret with the given name already exists, you will be prompted if you want to update it.

Deleting a secret

stacktape secret-delete --region my-region

Getting a secret value

stacktape secret-get --region my-region

Referencing secrets

  • Secrets can be easily referenced within your configuration using a $Secret() directive.

  • If you create a secret named myDbPassword secret in your stacktape configuration file.

resources:
myDatabase:
type: relational-database
properties:
engine:
type: aurora-postgresql-serverless
credentials:
# using simple string as a secret value
masterUserName: $Secret('masterUserName')
# using object string as a secret value
masterUserPassword: $Secret('databaseCredentials.password')

After you update a secret, all of the already deployed stacks which are using this secret will keep using the old version. In order for the deployed stack to use the new (updated) version of the secret, you need to redeploy the stack.