5

I will be taking few inputs when i'm creating the cloudformation stack. Cloudformation stack will create a SSM document (AWS systems manager) and I want to give password as an input parameter to the SSM document before the execution. 

"parameters": {
              "sourceAMIid": {
              "type": "String",
              "description": "Source/Base AMI to be used for generating your Automated AMI",
              "default": { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "HVM64"]}
                       },
               "Username": {
                           "type": "String",
                           "description": "account username/email",
                           "default": "none"
                       },
                       "password": {
                           "type": "String",
                           "description": "account password",
                           "default": "none"
                       },

                       "productName": {
                           "type": "String",
                           "description": "The syntax of this parameter is ProductName-ProductVersion.",
                           "default": {
                               "Ref": "productName"
                    }
       }
}

enter image description here

When i enter the password in this field it will show the exact word as it is. is there any way that i can define password parameter to display as below

enter image description here

Chinthaka Hasakelum
  • 151
  • 3
  • 13

2 Answers2

15

Yes you can mask your password using cloud formation template.All you need to is set "NoEcho" to "true" inside parameters as shown below.Refer to this and Using Input Parameters with NoEcho for Credentials in this for more information.

"Parameters" : {
  "DBPort" : {
    "Default" : "3306",
    "Description" : "TCP/IP port for the database",
    "Type" : "Number",
    "MinValue" : "1150",
    "MaxValue" : "65535"
  },
  "DBPwd" : {
    "NoEcho" : "true",
    "Description" : "The database admin account password",
    "Type" : "String",
    "MinLength" : "1",
    "MaxLength" : "41",
    "AllowedPattern" : "^[a-zA-Z0-9]*$"
  }
}
Prabhakar Reddy
  • 4,628
  • 18
  • 36
  • 1
    Since i'm using this under the SSM Document code,I have tried this before, it gives me error when creating the cloudformation stack `"AutomationDoc": { "Type": "AWS::SSM::Document","Properties": {"DocumentType": "Automation","Content": {"schemaVersion": "0.3","parameters": {"password": {"type": "String","NoEcho":"true","description": "account password", "default": "none"},` I'm getting this error _Unknown property "noEcho". (Service: AmazonSSM; Status Code: 400; Error Code: InvalidDocumentContent; Request ID: 3b856651-1194-4e3f-8bc5-bf88a9b9734d)_ – Chinthaka Hasakelum Jan 03 '20 at 08:29
  • 1
    _Unknown property "noEcho". (Service: AmazonSSM; Status Code: 400; Error Code: InvalidDocumentContent; Request ID: 3b856651-1194-4e3f-8bc5-bf88a9b9734d)_ – Chinthaka Hasakelum Jan 03 '20 at 08:32
  • 2
    Put `"NoEcho"` on the parameter, not on the document. – kichik Jan 04 '20 at 21:28
0

Using the terminal, this can be accomplished by using bash and read -s -p.

In the example below I have a Makefile, which reads the password, but does not echo the input to the terminal.

The Make Command

make create-test

Makefile

create-test: s3 delete-test
     @read -s -p "Enter DB Root Password: "  pswd; \
     aws cloudformation create-stack --stack-name test --template-body file://master.yaml --parameters ParameterKey=DBRootPassword,ParameterValue=$$pswd
Wayne
  • 3,359
  • 3
  • 30
  • 50