2

I want to store a secret in AWS secrets manager and retrieve it in a CloudFormation template. To test it I just put it in the value of a tag -

  MainRouteTable:
    Properties:
      Tags:
        - Key: Environment
          Value: LIVE
        - Key: Name
          Value: '{{resolve:secretsmanager:tvs:SecretString:testname}}'
      VpcId: !Ref 'VPC'
    Type: AWS::EC2::RouteTable

After I run the CloudFormation using the template and the environment is up, the value for the tag "Name" is "{{resolve:secretsmanager:tvs:SecretString:testname}}" and not the actual secret stored in testname. enter image description here

I have looked all around and can not figure out what is wrong. According to the AWS docs I am doing it properly.

I can retrieve the secret fine from the CLI -

aws secretsmanager --region us-east-1 get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:xxxxxx:secret:tvs-ZVTiDO --query SecretString --output text | jq -r .testname

Any suggestions?

I followed the instructions here - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager

Miguel Trejo
  • 5,913
  • 5
  • 24
  • 49
ErnieAndBert
  • 1,344
  • 3
  • 21
  • 43
  • it seems that the `Tag` property does not support dynamic references, from [this](https://stackoverflow.com/questions/53589880/dynamic-references-to-specify-secret-manager-values-in-aws-cloudformation) question "you can use them inside of function calls (!Sub, !Join, etc.)". – Miguel Trejo Dec 02 '20 at 19:54
  • I was using Tag as an easy way to test to see if AWS secrets was working properly. I tried using it in "MasterUserPassword:" in defining an RDS cluster. It errored with something like unusable format with no other info. In using it in the Tag - I was trying to use it in a area that I could see what it was getting to help debug. Is there any other place I could use it to try an see if it is getting what i think it should? – ErnieAndBert Dec 02 '20 at 20:17

2 Answers2

3

SecretString can only be used in few resources and selected properties. Tags are not supported. The supported list is:

AWS::DirectoryService::MicrosoftAD Password

AWS::DirectoryService::SimpleAD Password

AWS::ElastiCache::ReplicationGroup AuthToken

AWS::IAM::User LoginProfile Password

AWS::KinesisFirehose::DeliveryStream 

RedshiftDestinationConfiguration Password

AWS::OpsWorks::App Source Password

AWS::OpsWorks::Stack CustomCookbooksSource Password

AWS::OpsWorks::Stack RdsDbInstances DbPassword

AWS::RDS::DBCluster MasterUserPassword 

AWS::RDS::DBInstance MasterUserPassword

AWS::Redshift::Cluster MasterUserPassword
Marcin
  • 215,873
  • 14
  • 235
  • 294
  • 2
    That was it - works great. Thanks for the info!! Happy holidays!!! – ErnieAndBert Dec 03 '20 at 14:43
  • 1
    A little confused about this. That list is in the "SSM secure string parameters" section in the documenation - i.e. for Parameter Store, not Secrets Manager. Does this answer imply that the same restricted list also applies to Secrets Manager? – Steve Chambers Jul 14 '21 at 16:06
0

as a general rule, secrets will never display in AWS console, e.g. you can't use the im CloudFormation export, tags ect.

Tomek Klas
  • 722
  • 5
  • 6
  • FYI - I was able to test getting the secret and displaying it in describe tags - specifically in GroupDescription same SecurityGroup. I only did this for test purposes to make sure that I did get it and it was the correct one - then I changed the secret (of course). – ErnieAndBert Dec 03 '20 at 15:09
  • Thanx for letting me know. – Tomek Klas Dec 03 '20 at 21:30