Reputation: 3725
Resolving a "shared" secretsmanager secret in CloudFormation StackSet
In AWS account A, I've created a secret in secrets manager, it's a key:value pair with the key token. I want to share this secret with any account under my AWS organization, so it has this resource-policy:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "policyForSomething",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : "secretsmanager:*",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:PrincipalOrgID" : "o-xxxxxxxxxx"
}
}
} ]
}
Where o-xxxxxxxxxx is my organization ID in AWS Organizations. As I understand this means that this secret can be accessed by any account in my AWS organization.
I want to pass a dynamic-reference to this secret in a CloudFormation StackSet, as a parameter to a lambda in a different AWS organization.
MyCustomResource:
Type: Custom::MyCustomResource
Properties:
ServiceToken: arn:aws:lambda:thatlambdasArn
Token:
!Join
- ''
- - '{{'
- 'resolve:secretsmanager:'
- 'arn:aws:secretsmanager:us-east-1:123456789123:secret:MySecretName-otSgNu:'
- 'SecretString:token::}}'
This resource is a lambda-backed resource. The AWS account invoking this lambda is part of my AWS organization, and therefore should have access to the secret. Please note I'm !Join using after trying all sorts of combinations, including:
Token: '{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:123456789123:secret:MySecretName-otSgNu:SecretString:token::}}'
However, once I create a stack instance in a child account, it seems all I'm getting is that literal string, and CFN isn't even attempting to resolve the secret itself.
Are dynamic references like this not supported for StackSets? Is what I'm trying to do achievable?
Notice: Giving the lambda access to secrets manager is out of the question. The lambda is running in an account under an entirely different organization.
Upvotes: 1
Views: 831
Answers (1)
Reputation: 238209
secretsmanager dynamic references not work with custom resources. From docs:
Dynamic references for secure values, such as secretsmanager, aren't currently supported in custom resources.
You have to fetch the secret from secretsmanager in your lambda function which defines the custom resource.
Upvotes: 1
Related Questions
- How to specify a secret from SecretManager in CloudFormation container definition
- AWS CloudFormation ContainerDefinitions Secrets assigning full SecretString for each variable
- Reading a secret using CloudFormation
- Can I force CloudFormation to resolve values from Secrets Manager?
- Export secret name in cloudformation template
- CloudFormation Secrets
- Reading AWS Secrets in CloudFormation userdata
- CloudFormation: Dynamic reference to SecretManager value not working for Resource's Tag Property
- Referencing Secrets Manager secret in cloudFormation template
- Using AWS Secrets manager's Secret in Cloudformation