In AWS CloudFormation there is no way to generate the SMTP password of an AWS access key. As a result, the application always
has to do the calculation and transform the secret key into an SMTP password.
With This custom CloudFormation provider, we put an end to that. You can create an access key and SMTP password and automatically
store the credentials in the AWS Parameter Store. This means that you can create the email infrastructure and provision
SMTP credentials to applications that need to send email through Amazon Simple Email Service in a safe and controlled manner.
How does it work?
It is quite easy: you add the CloudFormation resource Custom::AccessKey, as follows:
Resources:
AccessKey:
Type: Custom::AccessKey
Properties:
content: sample user credential
UserName: email-sender
ParameterPath: /iam-users/email-sender
ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'
The access key id, access secret and the SMTP password are stored in the parameter store under the paths /iam-users/email-sender/aws_access_key_id
, /iam-users/email-sender/aws_access_secret_key
and /iam-users/email-sender/smtp_password
respectively.
Properties
You can specify the following properties:
UserName
– to create an access key for.ParameterPath
– into the parameter store to store the credentialsSerial
– to force the access key to be recycledStatus
– Active or InactiveReturnSecret
– returns access id and access secret as attributeReturnPassword
– returns access id and SMTP password as attributeNoEcho
– indicate whether output of the return values is replaced by*****
, default True.
Return values
With ‘Fn::GetAtt’ the following values are available:
SMTPPassword
– the SMTP password based for the access key (if ReturnPassword is true).AccessSecretKey
– the secret part of the access key (if ReturnSecret is true).
For more information about using Fn::GetAtt, see Fn::GetAtt.
Installation
To install this Custom Resource, type:
git checkout https://github.com/binxio/cfn-secret-provider
cd cfn-secret-provider
aws cloudformation create-stack
--capabilities CAPABILITY_IAM
–-stack-name cfn-secret-provider
–-template-body file://cloudformation/cfn-custom-resource-provider.yaml
aws cloudformation wait stack-create-complete
–-stack-name cfn-secret-provider
This CloudFormation template will use our pre-packaged provider from:
s3://binxio-public-{{AWS::Region}}/lambdas/cfn-secret-provider-latest.zip
Demo
To install the simple sample from this blog post, type:
aws cloudformation create-stack
--stack-name cfn-secret-provider-demo
--template-body file://cloudformation/demo-stack.yaml
aws cloudformation wait stack-create-complete
–stack-name cfn-secret-provider-demo
to validate the result, type:
aws ssm get-parameters-by-path
--path /iam-users
--recursive
--with-decryption
Conclusion
By using the Custom CloudFormation Secret provider you can create an IAM Access Key and the derived SMTP password and stored in the parameter store where it is encrypted and access can be audited and controlled.
If you got this far, you may also want to deploy your SES domain identities and DKIM records using CloudFormation.
If you have any questions, do not hesitate to contact me.