Hi folks - I'd like to use AWS Secrets Manager to auto-generate a password. However I also need access to that secret value later in my pulumi script as it's a required input when creating the dependent resource. Is this possible?

It is possible. Depends a bit what you are trying to achieve. If you want to pass the raw secret value somewhere else - you can do that just by paid my the same value you used as an input to the SecretValue. If you instead want to pass the id of the secret, so that some other resource can look up the secret value, you can pass

<http://secret.id|secret.id>

or similar. If you have a code snippet of what you are trying - happy to provide more concrete suggestion.

Thanks @white-balloon-205. In the CDK I'd normally do something like the following to generate a new key/value secret.

const secret = new Secret(construct, 'my-secret-name', {
    generateSecretString: {
        excludePunctuation: true,
        generateStringKey: 'password',
    },
});

When I'm doing this, I generally use

pulumi.Random

to generate the password: https://www.pulumi.com/docs/reference/pkg/random/randompassword/ this marks it as secret and encrypts it in the Pulumi state, then I store that password in secrets manager

Yup, cool - that'll work @billowy-army-68599. The other bit I was missing on re-reading the docs is it looks like I have to create the secret and first version separately (in the CDK it's one call).

cdk has a contruct which wraps all of the unique calls, you could build a component resource which looks very similar to the construct, but we expose the base resources and don't have a component resource to wrap it yet

np. I'll give it a spin and report back if I have any further qtns/ issues. Thanks for your prompt help!