14

I created a user in my template with an access key:

"MyAccessKey" : {
   "Type" : "AWS::IAM::AccessKey",
   "Properties" : {
      "UserName" : { "Ref" : "User12" }
   }
}

I need to get the access key ID and the secret key in the output of the template. How to do that ? Thank you

JavaQueen
  • 1,155
  • 2
  • 19
  • 44

2 Answers2

28

CloudFormation's Outputs documentation states ...

CloudFormation doesn't redact or obfuscate any information you include in the Outputs section. We strongly recommend you don't use this section to output sensitive information, such as passwords or secrets.

A safer option is to create an AWS::SecretsManager::Secret resource that contains the user's access and secret keys.

Here's an example of a template for creating "bot" users that leverages this approach ...

---
AWSTemplateFormatVersion: 2010-09-09
Description: example bot user

Resources:

  Bot:
    Type: AWS::IAM::User
    Properties:
      Path: /bot/
      UserName: !Ref AWS::StackName

  BotCredentials:
    Type: AWS::IAM::AccessKey
    Properties:
      Status: Active
      UserName: !Ref Bot

  BotCredentialsStored:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub /bot/credentials/${Bot}
      SecretString: !Sub '{"ACCESS_KEY":"${BotCredentials}","SECRET_KEY":"${BotCredentials.SecretAccessKey}"}'
RH Becker
  • 1,692
  • 1
  • 14
  • 11
  • How is a user supposed to then get the secret key from the Secrets Manager? – Mr Pablo Jun 17 '22 at 14:04
  • @MrPablo If the user has sufficient IAM privileges, the value can be retrieved via the Secrets service console, or via CLI, using the [get-secret-value](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/get-secret-value.html) command. – RH Becker Feb 17 '23 at 22:07
14

The access key id and the secret key are available as return values for the AWS::IAM::AccessKey resource:

"Outputs" : {
  "MyAccessKeyId": {
    "Ref" : "MyAccessKey"
  },
  "MySecretKey": {
    "Fn::GetAtt": [ "MyAccessKey", "SecretAccessKey" ]
  }
}
Yves M.
  • 29,855
  • 23
  • 108
  • 144
rbarni
  • 1,135
  • 10
  • 18
  • 4
    Unfortunately it seems that there's no way to hide this from the logs once you have got the key. It would be nice if they had an output flag that said that it was just a temporary output that you wanted to disappear afterwards – Mark Adamson Sep 02 '17 at 15:36
  • 2
    If you want to hide this from logs you can create a custom resource and encrypt the key using KMS https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html – user1530779 Aug 17 '18 at 16:03
  • 12
    Or, instead of exposing the values via `Outputs`, you could put the values to a `AWS::SecretsManager::Secret`. – RH Becker Sep 13 '19 at 19:34
  • How do you do that @RHBecker, is there any good example or doc on doing so? Ta PS: found this https://binx.io/blog/2017/09/22/deploying-secrets-with-aws-cloudformation/ – diegosasw Apr 22 '21 at 11:10
  • 5
    @diegosasw I posted a new answer to exhibit how I've used the `AWS::SecretsManager::Secret` to this end. – RH Becker Apr 23 '21 at 18:09
  • 2
    It's really annoying that they seem to face you into using their Secrets namaging service. I just need a one-time access to this information, plugin it in the secret manager of my CI/CD tool and that's it. – LostBalloon Oct 03 '21 at 21:46