Menu
I am trying to create an AWS stack in CloudFormation having a secret in the JSON.
I don't want the value of the secret displayed in the parameters and I don't want my instance (fargate or ec2) to access the secrets manager. I want CloudFormation to retrieve the value from the secrets manager and inject it in the template during runtime.
This is what I did:
Create a secret
Create a template using Designer
Read the secret and create a resource. In this case I am creating a bucket that has as a tag the secret. I know this is not secure, but the bucket is being used just as a proof of concept.
Validate that the bucket contains a tag with the secret
This is my template:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "create a single S3 bucket",
"Resources": {
"SampleBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "asantostestbucket",
"Tags" : [
{
"Key" : "keyname",
"Value" : "{{resolve:secretsmanager:dev/learning:SecretString:hello}}"
}
]
}
}
}
}
Which is giving me the error One or more tags are not valid.
How can I indicate to CloudFormation that I want it to read the secret, instead of trying to read the tag as text? In other words, replace "{{resolve:secretsmanager:dev/learning:SecretString:hello}}" with the value, instead of reading it as a text.
948
To access a secret in your AWS account, you can use the secret name. To access a secret in a different AWS account, use the ARN of the secret. The key name of the key-value pair whose value you want to retrieve. If you don't specify a json-key , AWS CloudFormation retrieves the entire secret text.
You can retrieve your secrets by using the console (https://console.aws.amazon.com/secretsmanager/ ) or the AWS CLI ( get-secret-value ). In applications, you can retrieve your secrets by calling GetSecretValue in any of the AWS SDKs. However, we recommend that you cache your secret values by using client-side caching.
AWS CloudFormation provides a set of helper scripts (written in Python) that, in conjunction with the resource metadata you defined in the template, can be used to install software and start services. These helper scripts are run on the Amazon EC2 instance.
An AWS CloudFormation template is a formatted text file in JSON or YAML language that describes your AWS infrastructure. To create, view and modify templates, you can use AWS CloudFormation Designer or any text editor tool.
To reproduce this situation, I did the following:
hello
surprise
dev/learning
Here's the output:
aws secretsmanager get-secret-value --secret-id dev/learning
{
"ARN": "arn:aws:secretsmanager:ap-southeast-2:123456789012:secret:dev/learning-kCxSK3",
"Name": "dev/learning",
"VersionId": "...",
"SecretString": "{\"hello\":\"surprise\"}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": 1560925072.106
}
Result: I received the message One or more tags are not valid
So, I got the same result as you did.
I then tried creating a different type of resource using the secret:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "{{resolve:secretsmanager:dev/learning:SecretString:hello}}"
}
}
}
}
This worked successfully:
aws ec2 describe-security-groups --group-id sg-03cfd71f4539a4b7e
{
"SecurityGroups": [
{
"Description": "surprise",
...
So, it seems that the {{resolve}} is behaving correctly, but for some reason the S3 Tag doesn't like it.
Bottom line: It is possible, but not advisable.
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
