or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

appconfig.mdbase.mddynamodb.mdindex.mdsecrets.mdssm.md
tile.json

secrets.mddocs/

Secrets Manager

Retrieves secrets from AWS Secrets Manager with automatic caching and transformation support.

← Back to Overview

Note: getMultiple not supported for Secrets Manager.

API Reference

function getSecret<T>(name: string, options?: SecretsGetOptions): Promise<T | undefined>;

class SecretsProvider extends BaseProvider {
  constructor(config?: SecretsProviderOptions);
  get<T>(name: string, options?: SecretsGetOptions): Promise<T | undefined>;
}

interface SecretsGetOptions {
  maxAge?: number;
  forceFetch?: boolean;
  transform?: 'json' | 'binary';
  sdkOptions?: Omit<Partial<GetSecretValueCommandInput>, 'SecretId'>;
}

type SecretsProviderOptions = { clientConfig?: SecretsManagerClientConfig } | { awsSdkV3Client?: SecretsManagerClient };

Usage Patterns

Basic Retrieval

import { getSecret } from '@aws-lambda-powertools/parameters/secrets';

// By name
const secret = await getSecret('my-secret');

// By ARN
const secretArn = await getSecret('arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-abc123');

// Parse JSON
interface DBCreds { username: string; password: string; host: string; port: number; }
const creds = await getSecret<DBCreds>('db-creds', { transform: 'json' });

// Decode binary
const binarySecret = await getSecret('my-binary-secret', { transform: 'binary' });

// Custom cache
const cached = await getSecret('my-secret', { maxAge: 300, forceFetch: true });

Version and Rotation

// Specific version
const versioned = await getSecret('my-secret', {
  sdkOptions: { VersionId: 'version-uuid' }
});

// Current version (default)
const current = await getSecret('rotated-secret', {
  sdkOptions: { VersionStage: 'AWSCURRENT' }
});

// Previous version (during rotation)
const previous = await getSecret('rotated-secret', {
  sdkOptions: { VersionStage: 'AWSPREVIOUS' }
});

Provider Class

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';
import { SecretsManagerClient } from '@aws-sdk/client-secrets-manager';

// Default config
const provider = new SecretsProvider();

// Custom region
const customProvider = new SecretsProvider({
  clientConfig: { region: 'us-west-2', maxAttempts: 3 }
});

// Custom client (for X-Ray tracing, etc.)
const client = new SecretsManagerClient({ region: 'eu-west-1' });
const providerWithClient = new SecretsProvider({ awsSdkV3Client: client });

// Use provider
const apiKey = await provider.get('api-key', { maxAge: 3600 });
const config = await provider.get('db/config', { transform: 'json' });

// Cache management
provider.clearCache(); // e.g., after rotation
if (provider.hasKeyExpiredInCache('api-key')) console.log('Expired');

// Multiple regions
const usProvider = new SecretsProvider({ clientConfig: { region: 'us-east-1' } });
const euProvider = new SecretsProvider({ clientConfig: { region: 'eu-west-1' } });

Secret Value Types

  • String secrets: Returned as string (API keys, passwords, JSON configs)
  • Binary secrets: Returned as Uint8Array (certificates, encryption keys)
  • Use transform: 'binary' to decode binary to string
  • Use transform: 'json' to parse JSON strings

Rotation Best Practices

  • Set maxAge based on rotation schedule
  • Use forceFetch: true after rotation to bypass cache
  • Call clearCache() to refresh all secrets
  • Use VersionStage for version-specific retrieval during transitions

IAM Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["secretsmanager:GetSecretValue"],
      "Resource": ["arn:aws:secretsmanager:region:account-id:secret:secret-name-*"]
    },
    {
      "Effect": "Allow",
      "Action": ["kms:Decrypt"],
      "Resource": ["arn:aws:kms:region:account-id:key/key-id"]
    }
  ]
}