SSM Secure reference is not supported in: AWS::EC2::Instance/Metadata

Question

I am trying to use a SecureString in the meta data section of a cloud formation template but it raises the following error:

SSM Secure reference is not supported in: [AWS::EC2::Instance/Metadata/AWS::CloudFormation::Init/config/files/~/.ssh/content]

This is my code:

Resources:
  LinuxEC2Instance:
  Type: AWS::EC2::Instance
    Metadata:
      AWS::CloudFormation::Init:
      config:
        files:
          ~/.ssh: 
            content: !Sub |
              '{{resolve:ssm-secure:/credentials/ansible:1}}'
            mode: "000644"
            owner: "ansible"
            group: "ansible"

Why does this not work? I expected secure string references to work in Cloud Formation Templates?

Marcin Marcin · Accepted Answer · 2020-06-10T23:51:32

Why does this not work?

It does not work because ssm-secure is not supported for AWS::EC2::Instance. The list of supported resources is here and it includes:

AWS::DirectoryService::MicrosoftAD
AWS::DirectoryService::SimpleAD
AWS::ElastiCache::ReplicationGroup
AWS::IAM::User
AWS::KinesisFirehose::DeliveryStream
AWS::OpsWorks::App
AWS::OpsWorks::Stack
AWS::OpsWorks::Stack
AWS::RDS::DBCluster
AWS::RDS::DBInstance
AWS::Redshift::Cluster

SSM Secure reference is not supported in: AWS::EC2::Instance/Metadata

1 Answers