How to create an AWS secret of type other using cdk

Question

I am using python with cdk. I have one stack that creates a dynamo db table with a random name in one account and multiple stacks running in other accounts that need to get that randomly generated table name. Due to the limitation of SSM parameters not allowing cross account access, I am using secrets manager instead

Here is my code

secretsmanager.Secret(self, "cdk-generated-secret",
                      secret_name="cdk-generated-secret-name",
                      secret_string_value="{'db-name': str_table_name }"
                      )

This is the error I am getting

type of argument secret_string_value must be one of (aws_cdk.SecretValue, NoneType); got str instead

This is a plain text string and doesn't need to be encrypted. How to write such a key value string to the secret and then later read it? Is there a way to read the secret values without using the randomly generated suffix?

Answer 1

Secrets manager API everything is encrypted, it does not support unencrypted data like SSM Param store does.

1. Have or Create customer managed KMS Key.
2. Change key policy to allow other account to access key.
3. Use that KMS Key when storing Secret.
4. Add a policy to secret that allows other account to access.

AWS Support Article on sharing Secrets across accounts: https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/

Look closely at the costs as secrets manager may not be what you want.

Answer 2

Use SecretValue.unsafe_plain_text to set a CDK Secret's plaintext value. The table_name attribute will be resolved to the DynamoDB table's actual name at deploy time. Key-value pairs can be set with the secret_object_value argument:

secretsmanager.Secret(
    self,
    "PlaintextKeyValueTableNameSecret",
    secret_object_value={
        "db-name": SecretValue.unsafe_plain_text(table.table_name)
    },
)

Note: Secrets Manager is a relatively expensive way to share non-secret config.