Reputation: 4077
Create Secrets Manager using CloudFormation but keeping values not visible
I have a CloudFormation template to create a Secret in Secrets Manager. My current template is similar to this (based on aws documentation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html):
{
"Resources": {
"MyCredentials": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "prod/web/api",
"Description": "",
"SecretString": "{
\"Client_id\":\"my_client_id\",
\"Client_secret\":\"a_super_secret_value\"
}"
}
}
}
}
My problem is that I can not use the GenerateSecretString property because the password is defined from an external organization so I can not change or create the value on my own and in this way the secret value can be viewed from the template in CloudFormation.
Is possible to achieve this or I need to create the secrets manually?
Upvotes: 0
Views: 1505
Answers (1)
Reputation: 9625
You can use AWS SSM Parameter, where the external organization has given permissions to add/update password there or someone in the team do the same.
Once the password is there, you read in your cloudformation template either via dynamic references like below,
The following example uses an ssm-secure dynamic reference to set the password for an IAM user to a secure string stored in Systems Manager Parameter Store. As specified, CloudFormation will use version 10 of the IAMUserPassword parameter for stack and change set operations.
"MyIAMUser": {
"Type": "AWS::IAM::User",
"Properties": {
"UserName": "MyUserName",
"LoginProfile": {
"Password": "{{resolve:ssm-secure:IAMUserPassword:10}}"
}
}
}
Or static reference something like below :
here Accessing the AvailabilityZone param stored in SSM.
"AvailabilityZone": {
"Description": "Amazon EC2 instance Availablity Zone",
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "AvailabilityZone"
}
More examples in Using AWS Systems Manager Parameter Store Secure String parameters in AWS CloudFormation templates
Upvotes: 1
Related Questions
- How to specify a secret from SecretManager in CloudFormation container definition
- AWS CloudFormation ContainerDefinitions Secrets assigning full SecretString for each variable
- Reading a secret using CloudFormation
- Can I force CloudFormation to resolve values from Secrets Manager?
- Dynamic References to Specify Secret Manager Values in AWS Cloudformation
- Export secret name in cloudformation template
- Reference Secrets Manager Parameters to Secret String
- Reading AWS Secrets in CloudFormation userdata
- Referencing Secrets Manager secret in cloudFormation template
- Using AWS Secrets manager's Secret in Cloudformation