Deploying secrets with AWS CloudFormation

22 Sep, 2017
Xebia Background Header Wave

One of the biggest pains we encounter in creating immutable infrastructures with CloudFormation, is dealing with secrets. Secrets
must be passed into the CloudFormation templates to make them different per environment. These secrets
must be given out to the development teams, so that they can do something useful with them. Before you know it,
your secrets are compromised.

With this Custom CloudFormation Resource we put an end to that. Secrets are generated as a CloudFormation Resource and
stored in the EC2 parameter store. This means that we do not have to store the secrets anywhere unsafe and applications
can get access to the secrets in a controlled manner.

How does it work?

It is quite easy: you specify a CloudFormation resource of the Custom::Secret, as follows:

    Type: Custom::Secret
      Name: /postgres/root/PGPASSWORD
      KeyAlias: alias/aws/ssm
      Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
      Length: 30
      ReturnSecret: true
      Version: v1
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

After the deployment, a 30 character random string can be found in the EC Parameter Store with the name /postgres/root/PGPASSWORD. If you need to access
the secret in your cloudformation module, you need to specify ReturnSecret and reference it as the attribute Secret.

     MasterUserPassword: !GetAtt 'DBPassword.Secret'


To install this Custom Resource, type:

$ git clone
$ cd cfn-secret-provider

$ aws cloudformation create-stack \
    –capabilities CAPABILITY_IAM \
    –stack-name cfn-secret-provider \ 
    –template-body  \
$ aws cloudformation wait stack-create-complete  \
    –stack-name cfn-secret-provider


To install the simple sample of the Custom Resource, type:

$ aws cloudformation create-stack \
    --capabilities CAPABILITY_NAMED_IAM \
    --stack-name cfn-secret-provider-demo \
    --template-body file://cloudformation/demo-stack.yaml

$ aws cloudformation wait stack-create-complete   \
    -stack-name cfn-secret-provider-demo

to validate the result, type:

aws ssm get-parameter --name /postgres/root/PGPASSWORD  --with-decryption


By using the CloudFormation Secret provider:

  • secrets are generated per environment.
  • secrets can be updated.
  • always stored encrypted in the parameter store .
  • where access to the secrets is audited and controlled!
    If you have a 3rd party secret like an API key, checkout deploying given secrets.
    If you want to deploy a private key pair, checkout deploying private key pairs.
    In addition we automated the deployment of ACM certificates with CloudFormation.
Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts