Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Secrets Manager - DocumentDB Construct

See original GitHub issue

❓ General Issue

Secret’s value is not passed into a construct for DocumentDB, rather the whole SecretString is passed instead.

The Question

How does one resolve a SecretString from SecretsManager into a construct for DocumentDB? Is this possible?

It passes : {resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****secret:cdk/docdb-****:SecretString:password::} but not the actual value


    // Get Secret Values for Username and Password
    const secret = sm.Secret.fromSecretAttributes(this, 'cdk/docdb', {
      secretArn: '',

    const credentials = {
      username : secret.secretValueFromJson('username'),
      password : secret.secretValueFromJson('password') 


  // Create documentdb cluster
    const sfDocCluster = new docdb.CfnDBCluster(
        storageEncrypted: true,
        availabilityZones: vpc.availabilityZones.splice(3),
        dbClusterIdentifier: "StorefrontDocdbCluster",
        masterUsername: credentials.username,
        masterUserPassword: credentials.password,
        vpcSecurityGroupIds: [sfSecurityGroup.securityGroupName],
        dbSubnetGroupName: sfSubnetGroup.dbSubnetGroupName,

Console Result:

StorefrontDocdbCluster Property validation failure: 

[Length of value {{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****secret:cdk/docdb-****:SecretString:password::}}} for property {/MasterUserPassword} is greater than maximum allowed length {41}, 

Length of value {{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****:secret:cdk/docdb-****:SecretString:username::}}} for property {/MasterUsername} is greater than maximum allowed length {63}]


  • CDK CLI Version: 1.5
  • Module Version:
  • OS: OSX Mojave
  • Language: TypeScript

Other information

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:11 (7 by maintainers)

github_iconTop GitHub Comments

jogoldcommented, Aug 23, 2019

I don’t know, the documentation says:

The secretsmanager dynamic reference can be used in all resource properties.

But apparently there are some bugs here and there.

jogoldcommented, Oct 18, 2019

This is an issue with CloudFormation itself and how it resolves/validates username and password for a AWS::DocDB::DBCluster, see aws-cloudformation/aws-cloudformation-coverage-roadmap#94 and

Read more comments on GitHub >

github_iconTop Results From Across the Web

How Amazon DocumentDB (with MongoDB compatibility ...
In Amazon DocumentDB, users authenticate to a cluster in conjunction with a password. With AWS Secrets Manager, you can replace hardcoded credentials in ......
Read more >
AWS Secrets Manager integration
Create a secret in Secrets Manager that contains your Amazon DocumentDB cluster name, username, and password. Securely access your Amazon DocumentDB cluster ...
Read more >
AWS Secrets Manager in Use for DocumentDB Databases
With Amazon Secrets Manager you can secure and manage database credentials used to access DocumentDB database clusters provisioned in your AWS ...
Read more >
Amazon DocumentDB and AWS Secrets Manager Integration
In this video, you will learn how to leverage AWS secrets manager to store and rotate credentials for Amazon DocumentDB.
Read more >
Create an Amazon Secrets Manager secret with automatic ...
This example creates a secret and an Amazon DocumentDB instance using the credentials in the secret as the user and password. The secret...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found