Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CloudFormation Secrets

Tags:

I would like to stick to a policy of "all infrastructure is code". However, I can't see a way to do that for secrets with CloudFormation.

SecretsManager requires that you specify the SecretString in plain text. Even if you inject a decrypted value from somewhere, the plain text string shows up in the CF console in the template view :/

It is also impossible to use encrypted strings in SSM. The docs say, "AWS CloudFormation doesn't support creating a SecureString parameter type."

Is there really no way to use CloudFormation to securely manage secrets as code?

like image 289
Tim Avatar asked Jan 22 '20 17:01

Tim

People also ask

How do you use secrets in CloudFormation?

To access a secret in your AWS account, you can use the secret name. To access a secret in a different AWS account, use the ARN of the secret. The key name of the key-value pair whose value you want to retrieve. If you don't specify a json-key , AWS CloudFormation retrieves the entire secret text.

What are AWS secrets?

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

How do I create AWS secrets?

To create a secret (console)Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ . Choose Store a new secret. On the Choose secret type page, do the following: For Secret type, choose Other type of secret.

1 Answers

You can use the Secret resource in CloudFormation to create SecretsManager secrets. There is a way to generate a value in the SecretString (which uses the GenerateRandomPassword API). Look at the GenerateSecretString property.

That should help you with generating a password without hardcoding it in a template.

There is also a RotationSchedule resource to help you set up automatic rotation for your secret.

To use the secret values stored in a SecretsManager secret or Parameter Store paramter, use dynamic references. Dynamic refs guarantee that the secret value is not logged in CFN or displayed in the console.

There is no way to create/generate a SecureString parameter in Parameter Store/Systems Manager currently.

like image 111
Parimal Avatar answered Oct 02 '22 16:10

Parimal
Sign in to Comment

Related questions

Jlink spring boot
How to prevent assignment to backing fields?
Next.js Import image error Module parse failed: Unexpected character '�' (1:0)
Clean way to retain CoroutineScope through config changes without ViewModel
Correct the classpath of your application so that it contains a single, compatible version of org.springframework.data.jpa.repository.config
How delete a local branch after merging it through a pull request? git-flow, bitbucket, sourcetree
Embedded Youtube video widget disappears while the web page (created by Flutter for Web) is scrolled up or down
What does "synchronization actions are totally ordered" mean?
How to pass checked exception from CompletableFuture to ControllerAdvice
Is it possible to use generic Consumer as function argument in Java?
How can I avoid code duplication in C# while and do-while loops?
How to use UIPreviewParameters to specify a range of text as a highlighted preview for UIContextMenuInteraction without hiding the rest of the view?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!