Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CloudFormation Secrets

Tags:

I would like to stick to a policy of "all infrastructure is code". However, I can't see a way to do that for secrets with CloudFormation.

SecretsManager requires that you specify the SecretString in plain text. Even if you inject a decrypted value from somewhere, the plain text string shows up in the CF console in the template view :/

It is also impossible to use encrypted strings in SSM. The docs say, "AWS CloudFormation doesn't support creating a SecureString parameter type."

Is there really no way to use CloudFormation to securely manage secrets as code?

like image 289
Tim Avatar asked Jan 22 '20 17:01

Tim


People also ask

How do you use secrets in CloudFormation?

To access a secret in your AWS account, you can use the secret name. To access a secret in a different AWS account, use the ARN of the secret. The key name of the key-value pair whose value you want to retrieve. If you don't specify a json-key , AWS CloudFormation retrieves the entire secret text.

What are AWS secrets?

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

How do I create AWS secrets?

To create a secret (console)Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ . Choose Store a new secret. On the Choose secret type page, do the following: For Secret type, choose Other type of secret.


1 Answers

You can use the Secret resource in CloudFormation to create SecretsManager secrets. There is a way to generate a value in the SecretString (which uses the GenerateRandomPassword API). Look at the GenerateSecretString property.

That should help you with generating a password without hardcoding it in a template.

There is also a RotationSchedule resource to help you set up automatic rotation for your secret.

To use the secret values stored in a SecretsManager secret or Parameter Store paramter, use dynamic references. Dynamic refs guarantee that the secret value is not logged in CFN or displayed in the console.

There is no way to create/generate a SecureString parameter in Parameter Store/Systems Manager currently.

like image 111
Parimal Avatar answered Oct 02 '22 16:10

Parimal