Create Secrets Manager using CloudFormation but keeping values not visible

0
votes

I have a CloudFormation template to create a Secret in Secrets Manager. My current template is similar to this (based on aws documentation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html):

{
   "Resources": {
      "MyCredentials": {
          "Type": "AWS::SecretsManager::Secret",
          "Properties": {
             "Name": "prod/web/api",
             "Description": "",
             "SecretString": "{
                \"Client_id\":\"my_client_id\",
                \"Client_secret\":\"a_super_secret_value\"
             }"
          }
      }
   }
}

My problem is that I can not use the GenerateSecretString property because the password is defined from an external organization so I can not change or create the value on my own and in this way the secret value can be viewed from the template in CloudFormation.

Is possible to achieve this or I need to create the secrets manually?

1
amazon-web-servicesamazon-cloudformationaws-secrets-manager

1 Answers

1
votes

You can use AWS SSM Parameter, where the external organization has given permissions to add/update password there or someone in the team do the same.

Once the password is there, you read in your cloudformation template either via dynamic references like below,

The following example uses an ssm-secure dynamic reference to set the password for an IAM user to a secure string stored in Systems Manager Parameter Store. As specified, CloudFormation will use version 10 of the IAMUserPassword parameter for stack and change set operations.

    "MyIAMUser": {
        "Type": "AWS::IAM::User",
        "Properties": {
        "UserName": "MyUserName",
        "LoginProfile": {
            "Password": "{{resolve:ssm-secure:IAMUserPassword:10}}"
        }
        }
    }

Or static reference something like below :

here Accessing the AvailabilityZone param stored in SSM.

        "AvailabilityZone": {
        "Description": "Amazon EC2 instance Availablity Zone",
        "Type": "AWS::SSM::Parameter::Value<String>",
        "Default": "AvailabilityZone"
        }

More examples in Using AWS Systems Manager Parameter Store Secure String parameters in AWS CloudFormation templates