6

I would like to stick to a policy of "all infrastructure is code". However, I can't see a way to do that for secrets with CloudFormation.

SecretsManager requires that you specify the SecretString in plain text. Even if you inject a decrypted value from somewhere, the plain text string shows up in the CF console in the template view :/

It is also impossible to use encrypted strings in SSM. The docs say, "AWS CloudFormation doesn't support creating a SecureString parameter type."

Is there really no way to use CloudFormation to securely manage secrets as code?

Tim
  • 1,013
  • 1
  • 10
  • 16

1 Answers1

5

You can use the Secret resource in CloudFormation to create SecretsManager secrets. There is a way to generate a value in the SecretString (which uses the GenerateRandomPassword API). Look at the GenerateSecretString property.

That should help you with generating a password without hardcoding it in a template.

There is also a RotationSchedule resource to help you set up automatic rotation for your secret.

To use the secret values stored in a SecretsManager secret or Parameter Store paramter, use dynamic references. Dynamic refs guarantee that the secret value is not logged in CFN or displayed in the console.

There is no way to create/generate a SecureString parameter in Parameter Store/Systems Manager currently.

Parimal
  • 316
  • 1
  • 6
  • Thanks for the response! Unfortunately I have specific/external keys and passwords that can not be generated. C'est la vie. – Tim Jan 22 '20 at 19:17
  • What process creates the external keys and passwords? Ideally, you'd want this creation step to include or kick off the step that stores the secret in SecretsManager. You can then use dynamic references to use the secret in CloudFormation. – Parimal Jan 22 '20 at 19:20
  • They are handed to us by external companies as integration keys. So the process is manual at this point. Unfortunately I can't define the secret in CF, just have other CF templates reference the existing, manually created secret as you say. That means the secret itself is not part of CF/infrastructure as code :( – Tim Jan 22 '20 at 19:45
  • 2
    @Tim this may be late for you, but we have a similar situation and what we do is create the secret string in CloudFormation with a placeholder value. We then update the secret from console/cli. This way, the secret name/arn itself is still part of a stack – Sudhanshu Mishra Mar 04 '20 at 06:25
  • 1
    @SudhanshuMishra that actually is a great solution for most cases. Thanks for sharing! – Robbert van den Bogerd May 10 '21 at 12:21