Declaring an IAM Access Key Resource by CloudFormation

Question

I created a user in my template with an access key:

"MyAccessKey" : {
   "Type" : "AWS::IAM::AccessKey",
   "Properties" : {
      "UserName" : { "Ref" : "User12" }
   }
} 

I need to get the access key ID and the secret key in the output of the template. How to do that ? Thank you

Answer 1

CloudFormation's Outputs documentation states ...

CloudFormation doesn't redact or obfuscate any information you include in the Outputs section. We strongly recommend you don't use this section to output sensitive information, such as passwords or secrets.

A safer option is to create an AWS::SecretsManager::Secret resource that contains the user's access and secret keys.

Here's an example of a template for creating "bot" users that leverages this approach ...

---
AWSTemplateFormatVersion: 2010-09-09
Description: example bot user

Resources:

  Bot:
    Type: AWS::IAM::User
    Properties:
      Path: /bot/
      UserName: !Ref AWS::StackName

  BotCredentials:
    Type: AWS::IAM::AccessKey
    Properties:
      Status: Active
      UserName: !Ref Bot

  BotCredentialsStored:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub /bot/credentials/${Bot}
      SecretString: !Sub '{"ACCESS_KEY":"${BotCredentials}","SECRET_KEY":"${BotCredentials.SecretAccessKey}"}'

Answer 2

The access key id and the secret key are available as return values for the AWS::IAM::AccessKey resource:

"Outputs" : {
  "MyAccessKeyId": {
    "Ref" : "MyAccessKey"
  },
  "MySecretKey": {
    "Fn::GetAtt": [ "MyAccessKey", "SecretAccessKey" ]
  }
}