CloudFormation: Dynamic reference to SecretManager value not working for Resource's Tag Property

2
votes

I want to store a secret in AWS secrets manager and retrieve it in a CloudFormation template. To test it I just put it in the value of a tag -

  MainRouteTable:
    Properties:
      Tags:
        - Key: Environment
          Value: LIVE
        - Key: Name
          Value: '{{resolve:secretsmanager:tvs:SecretString:testname}}'
      VpcId: !Ref 'VPC'
    Type: AWS::EC2::RouteTable

After I run the CloudFormation using the template and the environment is up, the value for the tag "Name" is "{{resolve:secretsmanager:tvs:SecretString:testname}}" and not the actual secret stored in testname. enter image description here

I have looked all around and can not figure out what is wrong. According to the AWS docs I am doing it properly.

I can retrieve the secret fine from the CLI -

aws secretsmanager --region us-east-1 get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:xxxxxx:secret:tvs-ZVTiDO --query SecretString --output text | jq -r .testname

Any suggestions?

I followed the instructions here - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager

2
amazon-web-servicesamazon-cloudformationaws-secrets-manager
it seems that the Tag property does not support dynamic references, from this question "you can use them inside of function calls (!Sub, !Join, etc.)".Miguel Trejo
I was using Tag as an easy way to test to see if AWS secrets was working properly. I tried using it in "MasterUserPassword:" in defining an RDS cluster. It errored with something like unusable format with no other info. In using it in the Tag - I was trying to use it in a area that I could see what it was getting to help debug. Is there any other place I could use it to try an see if it is getting what i think it should?ErnieAndBert

2 Answers

1
votes

SecretString can only be used in few resources and selected properties. Tags are not supported. The supported list is:

AWS::DirectoryService::MicrosoftAD Password

AWS::DirectoryService::SimpleAD Password

AWS::ElastiCache::ReplicationGroup AuthToken

AWS::IAM::User LoginProfile Password

AWS::KinesisFirehose::DeliveryStream 

RedshiftDestinationConfiguration Password

AWS::OpsWorks::App Source Password

AWS::OpsWorks::Stack CustomCookbooksSource Password

AWS::OpsWorks::Stack RdsDbInstances DbPassword

AWS::RDS::DBCluster MasterUserPassword 

AWS::RDS::DBInstance MasterUserPassword

AWS::Redshift::Cluster MasterUserPassword
0
votes

as a general rule, secrets will never display in AWS console, e.g. you can't use the im CloudFormation export, tags ect.