AmazonSecrets Class
Properties Methods Events Configuration Settings Errors
The AmazonSecrets class provides an easy-to-use interface for Amazon's Secrets Manager service.
Syntax
cloudkeys.amazonsecrets()
Remarks
The AmazonSecrets class makes it easy to work with the Amazon Secrets Manager service in a secure manner using TLS. Amazon Secrets Manager allows you to securely store secrets (e.g., passwords, symmetric keys, etc.) in the cloud so that the aren't persisted locally. This class helps you to create, manage, and access those secrets.
To begin, register for an AWS account and obtain an AccessKey and SecretKey to use for authentication.
Resource Terminology
A secret in Amazon Secrets Manager is a container for one or more secret versions, which is where secret data is actually stored. Each secret version can have between zero and 20 staging labels attached to it at any given time.
A staging label is a simple string that can be used instead of a version Id to refer to a particular secret version when retrieving secret data. A staging label can only be attached to one version of a secret at any given time. The server ensures that there is always exactly one version of a secret with the special staging label AWSCURRENT, but otherwise you are free to apply any staging labels to any secret versions you choose.
Secret versions that do not have any staging labels attached to them are considered deprecated, and the server may delete them at any time without warning. Deprecated secret versions are not shown in a secret's version list unless explicitly asked for.
Using the Class
The CreateSecret method will create a new secret with an initial secret version that holds the specified secret data. To change a secret's data, create a new version of it using the CreateVersion method.
To retrieve a secret's data, call the GetSecret method, and specify the specific version (either by Id or using a staging label) whose data should be retrieved. If no particular version is specified, the version with the AWSCURRENT staging label is used.
Secrets that will no longer be used can be deleted using the DeleteSecret method, either immediately or after a waiting period. If a secret is scheduled for deletion later, then during said waiting period the deletion can be canceled using CancelDeletion.
// Creates a new secret with the textual data "Test123" named MySecret.
// The initial secret version will have only the "AWSCURRENT" staging label.
amazonsecrets.SecretString = "Test123";
amazonsecrets.CreateSecret("MySecret", "A description of my secret.");
// Creates a new secret version with the textual data "Cats456" and
// attaches the staging labels "AWSCURRENT" (which gets moved from the previous version)
// and "best-version" to it.
amazonsecrets.SecretString = "Cats456";
amazonsecrets.CreateVersion("MySecret", "AWSCURRENT,best-version");
// Downloads the latest secret version's data to a local file.
amazonsecrets.LocalFile = "C:\temp\secret.txt";
amazonsecrets.GetSecret("MySecret", "", "");
// Schedules the secret, and all its versions, for deletion after 10 days.
amazonsecrets.DeleteSecret("MySecret", 10);
// Cancels the scheduled deletion.
amazonsecrets.CancelDeletion("MySecret");
To list secrets, use the ListSecrets method. To list a secret's versions, use the ListVersions method.
// If there are many secrets to list, there may be multiple pages of results. This will
// cause all pages of results to be accumulated into the Secrets collection property.
do {
amazonsecrets.ListSecrets();
} while (!string.IsNullOrEmpty(amazonsecrets.SecretMarker));
// A similar thing applies to secret versions as well.
do {
amazonsecrets.ListVersions("MySecret");
} while (!string.IsNullOrEmpty(amazonsecrets.VersionMarker));
The class also supports other functionality, including:
- Adding, removing, and moving staging labels between secret versions using MoveStagingLabel.
- Retrieval of information for a single secret with GetSecretInfo.
- Random password generation using GenRandomPassword.
- And more!
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
| AccessKey | The access key to use for authentication. |
| FirewallAutoDetect | This property tells the class whether or not to automatically detect and use firewall system settings, if available. |
| FirewallType | This property determines the type of firewall to connect through. |
| FirewallHost | This property contains the name or IP address of firewall (optional). |
| FirewallPassword | This property contains a password if authentication is to be used when connecting through the firewall. |
| FirewallPort | This property contains the TCP port for the firewall Host . |
| FirewallUser | This property contains a user name if authentication is to be used connecting through a firewall. |
| Idle | The current status of the class. |
| LocalFile | The local file to write data to, or whose data should be sent. |
| LocalHost | The name of the local host or user-assigned IP interface through which connections are initiated or accepted. |
| OtherHeaders | Other headers as determined by the user (optional). |
| Overwrite | Whether the local file should be overwritten if necessary. |
| ParsedHeaderCount | The number of records in the ParsedHeader arrays. |
| ParsedHeaderField | This property contains the name of the HTTP header (same case as it is delivered). |
| ParsedHeaderValue | This property contains the header contents. |
| ProxyAuthScheme | This property is used to tell the class which type of authorization to perform when connecting to the proxy. |
| ProxyAutoDetect | This property tells the class whether or not to automatically detect and use proxy system settings, if available. |
| ProxyPassword | This property contains a password if authentication is to be used for the proxy. |
| ProxyPort | This property contains the TCP port for the proxy Server (default 80). |
| ProxyServer | If a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified. |
| ProxySSL | This property determines when to use SSL for the connection to the proxy. |
| ProxyUser | This property contains a user name, if authentication is to be used for the proxy. |
| QueryParamCount | The number of records in the QueryParam arrays. |
| QueryParamName | The name of the query parameter. |
| QueryParamValue | The value of the query parameter. |
| Region | The region that the class will make requests against. |
| SecretData | The binary secret data that was retrieved or that should be sent. |
| SecretKey | The secret key to use for authentication. |
| SecretMarker | A marker indicating what page of secrets to return next. |
| SecretCount | The number of records in the Secret arrays. |
| SecretARN | The Amazon resource name (ARN) of the secret. |
| SecretCreationDate | The creation date of the secret. |
| SecretDeletionDate | The deletion date of the secret. |
| SecretDescription | The secret's description. |
| SecretKMSKeyId | The ARN or alias of the Amazon KMS CMK used to encrypt the secret. |
| SecretLastAccessDate | The last access date of the secret. |
| SecretLastChangeDate | The last change date of the secret. |
| SecretName | The name of the secret. |
| SecretOwningService | The name of the service that created the secret. |
| SecretString | The textual secret data that was retrieved or that should be sent. |
| SSLAcceptServerCertEncoded | The certificate (PEM/base64 encoded). |
| SSLCertEncoded | The certificate (PEM/base64 encoded). |
| SSLCertStore | The name of the certificate store for the client certificate. |
| SSLCertStorePassword | If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store. |
| SSLCertStoreType | The type of certificate store for this certificate. |
| SSLCertSubject | The subject of the certificate used for client authentication. |
| SSLServerCertEncoded | The certificate (PEM/base64 encoded). |
| Timeout | A timeout for the class. |
| VersionMarker | A marker indicating what page of secret versions to return next. |
| VersionCount | The number of records in the Version arrays. |
| VersionCreationDate | The creation date of the secret version. |
| VersionLastAccessDate | The last access date of the secret version. |
| VersionSecretARN | The Amazon resource name (ARN) of the secret this is a version of. |
| VersionSecretName | The name of the secret that this is a version of. |
| VersionStagingLabels | The staging labels attached to the secret version. |
| VersionVersionId | The Id of the secret version. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
| AddQueryParam | Adds a query parameter to the QueryParams properties. |
| CancelDeletion | Cancels the deletion of a secret. |
| Config | Sets or retrieves a configuration setting. |
| CreateSecret | Creates a new secret. |
| CreateVersion | Creates a new secret version. |
| DeleteSecret | Deletes a secret and all of its versions. |
| DoEvents | Processes events from the internal message queue. |
| GenRandomPassword | Returns a server-generated random password that complies with the given criteria. |
| GetSecret | Retrieves a secret version's data. |
| GetSecretInfo | Gets information about a secret. |
| ListSecrets | Lists secrets in the current account and region. |
| ListVersions | List the secret versions for the specified secret. |
| MoveStagingLabel | Adds, removes, or moves a staging label. |
| Reset | Resets the class to its initial state. |
| SendCustomRequest | Sends a custom request to the server. |
| UpdateSecret | Updates a secret's information. |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
| EndTransfer | Fired when a document finishes transferring. |
| Error | Information about errors during data delivery. |
| Header | Fired every time a header line comes in. |
| Log | Fires once for each log message. |
| SecretList | Fires once for each secret when listing secrets. |
| SSLServerAuthentication | Fired after the server presents its certificate to the client. |
| SSLStatus | Shows the progress of the secure connection. |
| StartTransfer | Fired when a document starts transferring (after the headers). |
| Transfer | Fired while a document transfers (delivers document). |
| VersionList | Fires once for each secret version when listing secret versions. |
Configuration Settings
The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.
| AccumulatePages | Whether the class should accumulate subsequent pages of results when listing them. |
| AlwaysParseVersions | Whether to parse version information when listing secrets. |
| AWSProfile | The name of the AWS CLI profile that the class should use to obtain authentication and region information. |
| AWSProfileDir | The location of the AWS CLI credentials and config files. |
| IncludeDeleted | Whether to include secrets scheduled for deletion when listing secrets. |
| IncludeDeprecated | Whether to include deprecated version when listing versions. |
| KMSKeyId | The Id of the Amazon KMS CMK that should be used to encrypt a secret. |
| MaxSecrets | The maximum number of results to return when listing secrets. |
| PreferBinary | Whether the class should treat secret data as binary or textual in ambiguous situations. |
| RawRequest | Returns the data that was sent to the server. |
| RawResponse | Returns the data that was received from the server. |
| SessionToken | The session token to send in the request when using temporary credentials. |
| UseEC2RoleCredentials | Whether to authenticate requests with credentials obtained from the IAM role attached to the EC2 instance. |
| UseFIPSEndpoint | Whether to use the FIPs endpoint to communicate with the server. |
| XChildCount | The number of child elements of the current element. |
| XChildName[i] | The name of the child element. |
| XChildXText[i] | The inner text of the child element. |
| XElement | The name of the current element. |
| XParent | The parent of the current element. |
| XPath | Provides a way to point to a specific element in the returned XML or JSON response. |
| XSubTree | A snapshot of the current element in the document. |
| XText | The text of the current element. |
| AcceptEncoding | Used to tell the server which types of content encodings the client supports. |
| AllowHTTPCompression | This property enables HTTP compression for receiving data. |
| AllowHTTPFallback | Whether HTTP/2 connections are permitted to fallback to HTTP/1.1. |
| Append | Whether to append data to LocalFile. |
| Authorization | The Authorization string to be sent to the server. |
| BytesTransferred | Contains the number of bytes transferred in the response data. |
| ChunkSize | Specifies the chunk size in bytes when using chunked encoding. |
| CompressHTTPRequest | Set to true to compress the body of a PUT or POST request. |
| EncodeURL | If set to true the URL will be encoded by the class. |
| FollowRedirects | Determines what happens when the server issues a redirect. |
| GetOn302Redirect | If set to true the class will perform a GET on the new location. |
| HTTP2HeadersWithoutIndexing | HTTP2 headers that should not update the dynamic header table with incremental indexing. |
| HTTPVersion | The version of HTTP used by the class. |
| IfModifiedSince | A date determining the maximum age of the desired document. |
| KeepAlive | Determines whether the HTTP connection is closed after completion of the request. |
| KerberosSPN | The Service Principal Name for the Kerberos Domain Controller. |
| LogLevel | The level of detail that is logged. |
| MaxRedirectAttempts | Limits the number of redirects that are followed in a request. |
| NegotiatedHTTPVersion | The negotiated HTTP version. |
| OtherHeaders | Other headers as determined by the user (optional). |
| ProxyAuthorization | The authorization string to be sent to the proxy server. |
| ProxyAuthScheme | The authorization scheme to be used for the proxy. |
| ProxyPassword | A password if authentication is to be used for the proxy. |
| ProxyPort | Port for the proxy server (default 80). |
| ProxyServer | Name or IP address of a proxy server (optional). |
| ProxyUser | A user name if authentication is to be used for the proxy. |
| SentHeaders | The full set of headers as sent by the client. |
| StatusLine | The first line of the last response from the server. |
| TransferredData | The contents of the last response from the server. |
| TransferredDataLimit | The maximum number of incoming bytes to be stored by the class. |
| TransferredHeaders | The full set of headers as received from the server. |
| TransferredRequest | The full request as sent by the client. |
| UseChunkedEncoding | Enables or Disables HTTP chunked encoding for transfers. |
| UseIDNs | Whether to encode hostnames to internationalized domain names. |
| UsePlatformHTTPClient | Whether or not to use the platform HTTP client. |
| UserAgent | Information about the user agent (browser). |
| ConnectionTimeout | Sets a separate timeout value for establishing a connection. |
| FirewallAutoDetect | Tells the class whether or not to automatically detect and use firewall system settings, if available. |
| FirewallHost | Name or IP address of firewall (optional). |
| FirewallPassword | Password to be used if authentication is to be used when connecting through the firewall. |
| FirewallPort | The TCP port for the FirewallHost;. |
| FirewallType | Determines the type of firewall to connect through. |
| FirewallUser | A user name if authentication is to be used connecting through a firewall. |
| KeepAliveInterval | The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received. |
| KeepAliveTime | The inactivity time in milliseconds before a TCP keep-alive packet is sent. |
| Linger | When set to True, connections are terminated gracefully. |
| LingerTime | Time in seconds to have the connection linger. |
| LocalHost | The name of the local host through which connections are initiated or accepted. |
| LocalPort | The port in the local host where the class binds. |
| MaxLineLength | The maximum amount of data to accumulate when no EOL is found. |
| MaxTransferRate | The transfer rate limit in bytes per second. |
| ProxyExceptionsList | A semicolon separated list of hosts and IPs to bypass when using a proxy. |
| TCPKeepAlive | Determines whether or not the keep alive socket option is enabled. |
| TcpNoDelay | Whether or not to delay when sending packets. |
| UseIPv6 | Whether to use IPv6. |
| LogSSLPackets | Controls whether SSL packets are logged when using the internal security API. |
| OpenSSLCADir | The path to a directory containing CA certificates. |
| OpenSSLCAFile | Name of the file containing the list of CA's trusted by your application. |
| OpenSSLCipherList | A string that controls the ciphers to be used by SSL. |
| OpenSSLPrngSeedData | The data to seed the pseudo random number generator (PRNG). |
| ReuseSSLSession | Determines if the SSL session is reused. |
| SSLCACertFilePaths | The paths to CA certificate files on Unix/Linux. |
| SSLCACerts | A newline separated list of CA certificate to use during SSL client authentication. |
| SSLCheckCRL | Whether to check the Certificate Revocation List for the server certificate. |
| SSLCipherStrength | The minimum cipher strength used for bulk encryption. |
| SSLEnabledCipherSuites | The cipher suite to be used in an SSL negotiation. |
| SSLEnabledProtocols | Used to enable/disable the supported security protocols. |
| SSLEnableRenegotiation | Whether the renegotiation_info SSL extension is supported. |
| SSLIncludeCertChain | Whether the entire certificate chain is included in the SSLServerAuthentication event. |
| SSLNegotiatedCipher | Returns the negotiated ciphersuite. |
| SSLNegotiatedCipherStrength | Returns the negotiated ciphersuite strength. |
| SSLNegotiatedCipherSuite | Returns the negotiated ciphersuite. |
| SSLNegotiatedKeyExchange | Returns the negotiated key exchange algorithm. |
| SSLNegotiatedKeyExchangeStrength | Returns the negotiated key exchange algorithm strength. |
| SSLNegotiatedProtocol | Returns the negotiated protocol version. |
| SSLProvider | The name of the security provider to use. |
| SSLSecurityFlags | Flags that control certificate verification. |
| SSLServerCACerts | A newline separated list of CA certificate to use during SSL server certificate validation. |
| TLS12SignatureAlgorithms | Defines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True. |
| TLS12SupportedGroups | The supported groups for ECC. |
| TLS13KeyShareGroups | The groups for which to pregenerate key shares. |
| TLS13SignatureAlgorithms | The allowed certificate signature algorithms. |
| TLS13SupportedGroups | The supported groups for (EC)DHE key exchange. |
| AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
| FirewallData | Used to send extra data to the firewall. |
| InBufferSize | The size in bytes of the incoming queue of the socket. |
| OutBufferSize | The size in bytes of the outgoing queue of the socket. |
| BuildInfo | Information about the product's build. |
| CodePage | The system code page used for Unicode to Multibyte translations. |
| LicenseInfo | Information about the current license. |
| ProcessIdleEvents | Whether the class uses its internal event loop to process events when the main thread is idle. |
| SelectWaitMillis | The length of time in milliseconds the class will wait when DoEvents is called if there are no events to process. |
| UseInternalSecurityAPI | Tells the class whether or not to use the system security libraries or an internal implementation. |