Class SecretsProvider

Intro

The Parameters utility provides a SecretsProvider that allows to retrieve secrets from AWS Secrets Manager.

Getting started

This utility supports AWS SDK v3 for JavaScript only (@aws-sdk/client-secrets-manager). This allows the utility to be modular, and you to install only the SDK packages you need and keep your bundle size small.

Basic usage

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret
  const secret = await secretsProvider.get('my-secret');
};

If you want to retrieve secrets without customizing the provider, you can use the getSecret function instead.

Advanced usage

Caching

By default, the provider will cache parameters retrieved in-memory for 5 seconds. You can adjust how long values should be kept in cache by using the maxAge parameter.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret and cache it for 10 seconds
  const secret = await secretsProvider.get('my-secret', { maxAge: 10 });
};

If instead you'd like to always ensure you fetch the latest parameter from the store regardless if already available in cache, use the forceFetch parameter.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret and always fetch the latest value
  const secret = await secretsProvider.get('my-secret', { forceFetch: true });
};

Transformations

For parameters stored in JSON or Base64 format, you can use the transform argument for deserialization.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret and parse it as JSON
  const secret = await secretsProvider.get('my-secret', { transform: 'json' });
};

Extra SDK options

When retrieving a secret, you can pass extra options to the AWS SDK v3 for JavaScript client by using the sdkOptions parameter.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret and pass extra options to the AWS SDK v3 for JavaScript client
  const secret = await secretsProvider.get('my-secret', {
    sdkOptions: {
      VersionId: 1,
    },
  });
};

This object accepts the same options as the AWS SDK v3 for JavaScript Secrets Manager client.

Customize AWS SDK v3 for JavaScript client

By default, the provider will create a new Secrets Manager client using the default configuration.

You can customize the client by passing a custom configuration object to the provider.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider({
 clientConfig: { region: 'eu-west-1' },
});

This object accepts the same options as the AWS SDK v3 for JavaScript Secrets Manager client.

Otherwise, if you want to use a custom client altogether, you can pass it to the provider.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';
import { SecretsManagerClient } from '@aws-sdk/client-secrets-manager';

const client = new SecretsManagerClient({ region: 'eu-west-1' });
const secretsProvider = new SecretsProvider({
 awsSdkV3Client: client,
});

This object must be an instance of the AWS SDK v3 for JavaScript Secrets Manager client.

For more usage examples, see our documentation.

Implements

See

https://docs.powertools.aws.dev/lambda/typescript/latest/utilities/parameters/

Hierarchy

Constructors

constructor

Properties

client envVarsService store

Methods

_get _getMultiple addToCache clearCache get getMultiple hasKeyExpiredInCache

Constructors

constructor

Properties

client

client: SecretsManagerClient

envVarsService

envVarsService: EnvironmentVariablesService

Protected store

store: Map<string, ExpirableValue>

Methods

Protected _get

  • _get(name, options?): Promise<undefined | string | Uint8Array>

  • Retrieve a configuration from AWS Secrets Manager.

    Parameters

    • name: string

      Name of the configuration or its ID

    • Optional options: SecretsGetOptions

      SDK options to propagate to the AWS SDK v3 for JavaScript client

    Returns Promise<undefined | string | Uint8Array>

Protected _getMultiple

  • _getMultiple(_path, _options?): Promise<void>

  • Retrieving multiple parameter values is not supported with AWS Secrets Manager.

    Parameters

    • _path: string
    • Optional _options: unknown

    Returns Promise<void>

    Throws

    Not Implemented Error.

addToCache

  • Add a value to the cache.

    Parameters

    • key: string

      Key of the cached value

    • value: unknown

      Value to be cached

    • maxAge: number

      Maximum age in seconds for the value to be cached

    Returns void

clearCache

get

  • Retrieve a secret from AWS Secrets Manager.

    Type Parameters

    Parameters

    • name: string

      The name of the secret

    • Optional options: Object

      Options to customize the retrieval of the secret

    Returns Promise<undefined | SecretsGetOutput<ExplicitUserProvidedType, InferredFromOptionsType>>

    Example

    import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

    const secretsProvider = new SecretsProvider();

    export const handler = async (): Promise<void> => {
      // Retrieve a secret
      const secret = await secretsProvider.get('my-secret');
    };

    You can customize the retrieval of the secret by passing options to the function:

    • maxAge - The maximum age of the value in cache before fetching a new one (in seconds) (default: 5)
    • forceFetch - Whether to always fetch a new value from the store regardless if already available in cache
    • transform - Whether to transform the value before returning it. Supported values: json, binary
    • sdkOptions - Extra options to pass to the AWS SDK v3 for JavaScript client

    For usage examples check SecretsProvider.

    See

    https://docs.powertools.aws.dev/lambda/typescript/latest/utilities/parameters/

getMultiple

  • Retrieving multiple parameter values is not supported with AWS Secrets Manager.

    Parameters

    • path: string
    • Optional _options: unknown

    Returns Promise<void>

hasKeyExpiredInCache

  • Check whether a key has expired in the cache or not.

    It returns true if the key is expired or not present in the cache.

    Parameters

    • key: string

      Stringified representation of the key to retrieve

    Returns boolean

Settings

Member Visibility

Theme

On This Page

Generated using TypeDoc