Create and consume AWS Secret Manager to store credentials

Applicable when

• You don't want your application secrets to be exposed in the repository code

Manually create AWS Secret Manager

1. Go to AWS Secret Manager
2. Click on Store a new secret
   
3. For secret type choose what is applicable for your case, but in most of the cases you will need to pick "Other type of secrets", because usually you have different secret types (e.g.: not just DB related)
4. Add at least one secret key/value
5. Click Next
   
   
   
6. Add secret name and description (optionally)
7. Click Next
   
   
8. Skip next step - Configure automatic rotation - just click Next -  Disable automatic rotation (default option) should be selected by default.
9. Review step - click on Store

Visualize your secrets

1. Go to AWS Secret Manager
2. Click on your Secret Manager from the list
3. Click Retrieve secret value to visualize your secrets
   
   
4. From here you can view and edit your secrets

Consuming secrets in CDK implementation

In your cdk.json or cdk.context.json you need to create a key secretCredentialsArn and it's value should be the ARN of your AWS Secret Manager

import { ISecret, Secret } from '@aws-cdk/aws-secretsmanager';
import { Construct } from '@aws-cdk/core';

export class Secret5k extends Construct {
  public readonly credentials: ISecret;

  constructor(scope: Construct) {
    super(scope, 'Secret');

    this.credentials = Secret.fromSecretArn(this, 'SampleCredentials', String(this.node.tryGetContext('secretCredentialsArn')));
  }
}

Then whenever you need to consume a specific secret just invoke it like this:

this.secrets.credentials.secretValueFromJson('defaultPassword').toString()