5

I want to use the AWS secrets manager to manage all my secrets for my CDK stacks. Since I would be managing hundreds of secrets, I want to create a CDK stack that would allow me to create these secrets in different environments (and manage them).

Some of the secret values need to be a specific set of values that cannot be autogenerated.

From what I understand, I cannot create such secrets that have predetermined values using CDK. So my question is: How do I create these secrets programmatically and not manually? The burden of creating the same set of secrets in different environments manually without messing up is too great.

Edit: To be clear, I understand the reason behind CDK not allowing to specify SecretString of AWS::SecretsManager::Secret since it could risk exposing secrets. I definitely thought about creating secrets with randomly generated values and then replacing those values manually, but for someone like me who has multiple environments and hundreds of secrets to manage, even that could be quite taxing. There has to be a better way of doing this.

Keshav Potluri
  • 479
  • 5
  • 15

1 Answers1

9

How do I create these secrets programmatically and not manually?

As you correctly pointed out you can't do this in CDK. This is by design and the rationale is as follows:

The Secret construct does not allow specifying the SecretString property of the AWS::SecretsManager::Secret resource (as this will almost always lead to the secret being surfaced in plain text and possibly committed to your source control).

The same document also gives a workaround for that:

If you need to use a pre-existing secret, the recommended way is to manually provision the secret in AWS SecretsManager and use the Secret.fromSecretArn or Secret.fromSecretAttributes method to make it available in your CDK Application:

Of course manually going to console is not very pleasant, thus you can pre-create these secrets in AWS CLI or SDK. You could have a companion script along side your CDK which would create the secrets using AWS CLI or some script in AWS SDK. These pre-created secrets can the be used in the CDK as shown in the docs.

Obviously this poses the same issue which CDK tries to eliminate, i.e. you can commit or expose the script in plain text secrets in your source code.

But if your secrets are not that secret, then maybe using SSM Parameter Store would be better option. The stored values can be controlled easily from CDK.

As an alternative, if possible, you can also use plain CloudFormation's AWS::SecretsManager::Secret directly. The Secret in CFN does not restrict you, and you can setup plain text value for the secret.

Marcin
  • 215,873
  • 14
  • 235
  • 294