One of the biggest pains we encounter in creating immutable infrastructures with CloudFormation, is dealing with secrets. Secrets
must be passed into the CloudFormation templates to make them different per environment. These secrets
must be given out to the development teams, so that they can do something useful with them. Before you know it,
your secrets are compromised.
With this Custom CloudFormation Resource we put an end to that. Secrets are generated as a CloudFormation Resource and
stored in the EC2 parameter store. This means that we do not have to store the secrets anywhere unsafe and applications
can get access to the secrets in a controlled manner.
How does it work?
It is quite easy: you specify a CloudFormation resource of the Custom::Secret, as follows:
Resources:
DBPassword:
Type: Custom::Secret
Properties:
Name: /postgres/root/PGPASSWORD
KeyAlias: alias/aws/ssm
Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
Length: 30
ReturnSecret: true
Version: v1
ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'
After the deployment, a 30 character random string can be found in the EC Parameter Store with the name /postgres/root/PGPASSWORD
. If you need to access
the secret in your cloudformation module, you need to specify ReturnSecret
and reference it as the attribute Secret
.
MasterUserPassword: !GetAtt 'DBPassword.Secret'
Installation
To install this Custom Resource, type:
$ git clone https://github.com/binxio/cfn-secret-provider.git
$ cd cfn-secret-provider
$ aws cloudformation create-stack
–capabilities CAPABILITY_IAM
–stack-name cfn-secret-provider
–template-body
file://cloudformation/cfn-custom-resource-provider.yaml
$ aws cloudformation wait stack-create-complete
–stack-name cfn-secret-provider
Demo
To install the simple sample of the Custom Resource, type:
$ aws cloudformation create-stack
--capabilities CAPABILITY_NAMED_IAM
--stack-name cfn-secret-provider-demo
--template-body file://cloudformation/demo-stack.yaml
$ aws cloudformation wait stack-create-complete
-stack-name cfn-secret-provider-demo
to validate the result, type:
aws ssm get-parameter --name /postgres/root/PGPASSWORD --with-decryption
Conclusion
By using the CloudFormation Secret provider:
- secrets are generated per environment.
- secrets can be updated.
- always stored encrypted in the parameter store .
- where access to the secrets is audited and controlled!
If you have a 3rd party secret like an API key, checkout deploying given secrets.
If you want to deploy a private key pair, checkout deploying private key pairs.
In addition we automated the deployment of ACM certificates with CloudFormation.