Class SecretsProvider

Intro

The Parameters utility provides a SecretsProvider that allows to retrieve secrets from AWS Secrets Manager.

Getting started

This utility supports AWS SDK v3 for JavaScript only (@aws-sdk/client-secrets-manager). This allows the utility to be modular, and you to install only the SDK packages you need and keep your bundle size small.

Basic usage

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret
  const secret = await secretsProvider.get('my-secret');
};

If you want to retrieve secrets without customizing the provider, you can use the getSecret function instead.

Advanced usage

Caching

By default, the provider will cache parameters retrieved in-memory for 5 seconds. You can adjust how long values should be kept in cache by using the maxAge parameter.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret and cache it for 10 seconds
  const secret = await secretsProvider.get('my-secret', { maxAge: 10 });
};

If instead you'd like to always ensure you fetch the latest parameter from the store regardless if already available in cache, use the forceFetch parameter.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret and always fetch the latest value
  const secret = await secretsProvider.get('my-secret', { forceFetch: true });
};

Transformations

For parameters stored in JSON or Base64 format, you can use the transform argument for deserialization.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret and parse it as JSON
  const secret = await secretsProvider.get('my-secret', { transform: 'json' });
};

Extra SDK options

When retrieving a secret, you can pass extra options to the AWS SDK v3 for JavaScript client by using the sdkOptions parameter.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret and pass extra options to the AWS SDK v3 for JavaScript client
  const secret = await secretsProvider.get('my-secret', {
    sdkOptions: {
      VersionId: 1,
    },
  });
};

This object accepts the same options as the AWS SDK v3 for JavaScript Secrets Manager client.

Customize AWS SDK v3 for JavaScript client

By default, the provider will create a new Secrets Manager client using the default configuration.

You can customize the client by passing a custom configuration object to the provider.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider({
 clientConfig: { region: 'eu-west-1' },
});

This object accepts the same options as the AWS SDK v3 for JavaScript Secrets Manager client.

Otherwise, if you want to use a custom client altogether, you can pass it to the provider.

Example

import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';
import { SecretsManagerClient } from '@aws-sdk/client-secrets-manager';

const client = new SecretsManagerClient({ region: 'eu-west-1' });
const secretsProvider = new SecretsProvider({
 awsSdkV3Client: client,
});

This object must be an instance of the AWS SDK v3 for JavaScript Secrets Manager client.

For more usage examples, see our documentation.

See

https://docs.powertools.aws.dev/lambda/typescript/latest/utilities/parameters/

Hierarchy (View Summary)

BaseProvider
- SecretsProvider

Index

Constructors

constructor

new SecretsProvider(config?: SecretsProviderOptions): SecretsProvider
It initializes the SecretsProvider class.
Parameters
- Optionalconfig: SecretsProviderOptions
  The configuration object.
Returns SecretsProvider
Overrides BaseProvider.constructor
- Defined in parameters/src/secrets/SecretsProvider.ts:154

Properties

client

client: SecretsManagerClient

envVarsService

envVarsService: EnvironmentVariablesService

`Protected`store

store: Map<string, ExpirableValue>

Methods

`Protected`_get

_get(
name: string,
options?: SecretsGetOptions,
): Promise<undefined | string | Uint8Array<ArrayBufferLike>>
Retrieve a configuration from AWS Secrets Manager.
Parameters
- name: string
  Name of the configuration or its ID
- Optionaloptions: SecretsGetOptions
  SDK options to propagate to the AWS SDK v3 for JavaScript client
Returns Promise<undefined | string | Uint8Array<ArrayBufferLike>>
Overrides BaseProvider._get
- Defined in parameters/src/secrets/SecretsProvider.ts:224

`Protected`_getMultiple

_getMultiple(
_path: string,
_options?: unknown,
): Promise<undefined | Record<string, unknown>>
Retrieving multiple parameter values is not supported with AWS Secrets Manager.
Parameters
- _path: string
- Optional_options: unknown
Returns Promise<undefined | Record<string, unknown>>
Throws
Not Implemented Error.
Overrides BaseProvider._getMultiple
- Defined in parameters/src/secrets/SecretsProvider.ts:247

addToCache

addToCache(key: string, value: unknown, maxAge: number): void
Add a value to the cache.
Parameters
- key: string
  Key of the cached value
- value: unknown
  Value to be cached
- maxAge: number
  Maximum age in seconds for the value to be cached
Returns void
Inherited from BaseProvider.addToCache
- Defined in parameters/src/base/BaseProvider.ts:76

clearCache

clearCache(): void
Clear the cache.

Returns void
Inherited from BaseProvider.clearCache
- Defined in parameters/src/base/BaseProvider.ts:85

get

get<
    ExplicitUserProvidedType = undefined,
    InferredFromOptionsType extends SecretsGetOptions = SecretsGetOptions,
>(
    name: string,
    options?: InferredFromOptionsType & SecretsGetOptions,
): Promise<
    | undefined
    | SecretsGetOutput<ExplicitUserProvidedType, InferredFromOptionsType>,
>
Retrieve a secret from AWS Secrets Manager.
Type Parameters
- ExplicitUserProvidedType = undefined
- InferredFromOptionsType extends SecretsGetOptions = SecretsGetOptions
Parameters
- name: string
  The name of the secret
- Optionaloptions: InferredFromOptionsType & SecretsGetOptions
  Options to customize the retrieval of the secret
Returns Promise<
| undefined
| SecretsGetOutput<ExplicitUserProvidedType, InferredFromOptionsType>,
>
Example
```
import { SecretsProvider } from '@aws-lambda-powertools/parameters/secrets';

const secretsProvider = new SecretsProvider();

export const handler = async (): Promise<void> => {
  // Retrieve a secret
  const secret = await secretsProvider.get('my-secret');
};
```
You can customize the retrieval of the secret by passing options to the function:
- maxAge - The maximum age of the value in cache before fetching a new one (in seconds) (default: 5)
- forceFetch - Whether to always fetch a new value from the store regardless if already available in cache
- transform - Whether to transform the value before returning it. Supported values: json, binary
- sdkOptions - Extra options to pass to the AWS SDK v3 for JavaScript client
For usage examples check SecretsProvider.
See
https://docs.powertools.aws.dev/lambda/typescript/latest/utilities/parameters/
Overrides BaseProvider.get
- Defined in parameters/src/secrets/SecretsProvider.ts:190

getMultiple

getMultiple(path: string, _options?: unknown): Promise<void>
Retrieving multiple parameter values is not supported with AWS Secrets Manager.
Parameters
- path: string
- Optional_options: unknown
Returns Promise<void>
Overrides BaseProvider.getMultiple
- Defined in parameters/src/secrets/SecretsProvider.ts:211

hasKeyExpiredInCache

hasKeyExpiredInCache(key: string): boolean
Check whether a key has expired in the cache or not.

It returns true if the key is expired or not present in the cache.
Parameters
- key: string
  Stringified representation of the key to retrieve
Returns boolean
Inherited from BaseProvider.hasKeyExpiredInCache
- Defined in parameters/src/base/BaseProvider.ts:193

Class SecretsProvider

Intro

Getting started

Basic usage

Example

Advanced usage

Caching

Example

Example

Transformations

Example

Extra SDK options

Example

Customize AWS SDK v3 for JavaScript client

Example

Example

See

Hierarchy (View Summary)

Index

Constructors

Properties

Methods

Constructors

constructor

Parameters

Returns SecretsProvider

Properties

client

envVarsService

Protectedstore

Methods

Protected_get

Parameters

Returns Promise<undefined | string | Uint8Array<ArrayBufferLike>>

Protected_getMultiple

Parameters

Returns Promise<undefined | Record<string, unknown>>

Throws

addToCache

Parameters

Returns void

clearCache

Returns void

get

Type Parameters

Parameters

Returns Promise< | undefined | SecretsGetOutput<ExplicitUserProvidedType, InferredFromOptionsType>,>

Example

See

getMultiple

Parameters

Returns Promise<void>

hasKeyExpiredInCache

Parameters

Returns boolean

Settings

On This Page

`Protected`store

`Protected`_get

`Protected`_getMultiple

Returns Promise<
| undefined
| SecretsGetOutput<ExplicitUserProvidedType, InferredFromOptionsType>,
>