Skip to main content

Secret

The cloud.Secret class represents a secret value (like an API key, certificate, etc.) that is securely stored in the cloud.

Secrets are encrypted at rest and in transit, and are only decrypted when they are used in a task. Storing a secret allows you to use the value in different compute tasks while only having to rotate or revoke it in one place.

Usage

Defining a secret

bring cloud;

let secret = new cloud.Secret(
  name: "my-secret", // optional, defaults to a generated name
);

Before deploying your application, you will be expected to store the secret value in a secure place according to the target-specific instructions below.

Retrieving secret values

bring cloud;

let secret = new cloud.Secret(
  name: "my-api-key",
);

new cloud.Function(inflight () => {
  let secretValue = secret.value(); // retrieve the secret as a `str` value
  let secretValueAsJson = secret.valueJson(); // retrieve the secret as a `Json` value
});

Target-specific details

Simulator (sim)

When using a secret in Wing's simulator, a secrets file must be added to your project in a file called: .env. The simulator will look up secrets in this file by their name. Secrets should be saved in a key=value format:

// .env
my-api-key=1234567890
secret-key=secret-value

AWS (tf-aws and awscdk)

AWS implementations of cloud.Secret use AWS Secrets Manager. Before deploying your application, you must create a secret in the AWS account with the same name as the secret in your Wing application. You can do this using the AWS CLI:

aws secretsmanager create-secret --name my-api-key --secret-string 1234567890

It's also possible to create a secret using the AWS console. See AWS documentation for more details.

Azure (tf-azure)

🚧 Not supported yet (tracking issue: #2178)

GCP (tf-gcp)

🚧 Not supported yet (tracking issue: #2179)

API Reference

Secret

A cloud secret.

Initializers 

bring cloud;

new cloud.Secret(props?: SecretProps);
NameTypeDescription
propsSecretPropsNo description.
propsOptional

Methods

Inflight Methods
NameDescription
valueRetrieve the value of the secret.
valueJsonRetrieve the Json value of the secret.
value 
inflight value(options?: GetSecretValueOptions): str

Retrieve the value of the secret.

optionsOptional
valueJson 
inflight valueJson(options?: GetSecretValueOptions): Json

Retrieve the Json value of the secret.

optionsOptional

Static Functions

NameDescription
onLiftTypeA hook called by the Wing compiler once for each inflight host that needs to use this type inflight.
onLiftType 
bring cloud;

cloud.Secret.onLiftType(host: IInflightHost, ops: MutArray<str>);

A hook called by the Wing compiler once for each inflight host that needs to use this type inflight.

The list of requested inflight methods needed by the inflight host are given by ops.

This method is commonly used for adding permissions, environment variables, or other capabilities to the inflight host.

hostRequired
opsRequired
  • Type: MutArray<str>

Properties

NameTypeDescription
nodeconstructs.NodeThe tree node.
namestrGet secret name.
nodeRequired 
node: Node;
  • Type: constructs.Node

The tree node.

nameOptional 
name: str;
  • Type: str

Get secret name.

Structs

GetSecretValueOptions

Options when getting a secret value.

Initializer 

bring cloud;

let GetSecretValueOptions = cloud.GetSecretValueOptions{ ... };

Properties

NameTypeDescription
cacheboolWhether to cache the value.
cacheOptional 
cache: bool;
  • Type: bool
  • Default: true

Whether to cache the value.

SecretProps

Options for Secret.

Initializer 

bring cloud;

let SecretProps = cloud.SecretProps{ ... };

Properties

NameTypeDescription
namestrThe secret's name.
nameOptional 
name: str;
  • Type: str
  • Default: a new secret is provisioned with a generated name

The secret's name.

If no name is provided then a new secret is provisioned in the target. If a name is provided then the resource will reference an existing secret in the target.