Encrypting secrets in AWS CloudFormation

21 Oct, 2018
Xebia Background Header Wave

Last year, I wrote a blog about generating secrets in your CloudFormation template and storing them in the Parameter Store. This works when the secret is ours to choose. But what if you are given a secret? For instance an API key or password to be used for authentication at a third party? With the latest feature of the Custom Secret Provider, we allow you to specify an Encrypted secret which will be decrypted before it is stored in the Parameter store.

How does it work?

It is quite easy: you specify the encrypted value in your CloudFormation Custom::Secret resource as EncryptedContent:

    Type: Custom::Secret
      Name: /datadog/api-key
      EncryptedContent: AQICAHgefwksukJYA7L2AkPMZLGjZsGxHbvY9AoVs55dcju1AwEZui/8lNbnGAhv63Wh0heUAAAA3zCB3AYJKoZIhvcNAQcGoIHOMIHLAgEAMIHFBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDOXKKVZ4ft75/oZ2TQIBEICBlzf5j1M3w6OH+iphx59kFLnNoKb+u1RCLfIqEitrt6VGu13/jDlnDcPE2DfkZFkW3fnmNn5OXfgt1L9j4XYdIQTEwexorNqUr5pUtMfS9YX8yL9DbArH+XBv/OQPSj8VsuWRcwFP5EwZKB9O4X3l1pZlPafp2Y/ndWXgC1o6YgfplnmjufoUUTy8wi4P5glbwnqGP/iyc7g=
      ReturnSecret: true
      RefreshOnUpdate: true
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

The value should be encrypted with the KMS key alias/cmk/cfn-secrets for the provider to be able to decrypt it.
After the deployment, the API key can be found in the EC Parameter Store with the name /datadog/api-key as type SecureString. The value is available to you in clear text. If you need to access the secret in your cloudformation module, you need to specify ReturnSecret and reference it as the attribute Secret.

     DATADOG_API_KEY: !GetAtt 'ApiKey.Secret'


To install this Custom Resource, type:

git checkout
cd cfn-secret-provider

aws cloudformation create-stack 
    --capabilities CAPABILITY_IAM 
    --stack-name cfn-secret-provider 

aws cloudformation wait stack-create-complete  
    --stack-name cfn-secret-provider 

This CloudFormation template will use our pre-packaged provider from s3://binxio-public/lambdas/
This custom provider is only allowed to decrypt values from the key with the alias alias/cmk/cfn-secrets created together with the provider. If
you wish to use different keys, add Decrypt permissions to the Lamdba Policy.

Encrypting values

After the CloudFormation provider is deployed, you can encrypt values by using the 4 line python utility encrypt-secret.

$ ./encrypt-secret my-secret-api-key


To install the simple sample of the Custom Resource, type:


aws cloudformation create-stack 
    --stack-name cfn-secret-provider-demo 
    --template-body file://cloudformation/demo-stack.json 
    --parameters ParameterKey=ApiKey,ParameterValue=$(./encrypt-secret $API_KEY)

aws cloudformation wait stack-create-complete  
    --stack-name cfn-secret-provider-demo

Of course in this case the secret is passed in as a parameter, as it depends on the key.
to validate that your key was stored in the parameter store,type:

aws ssm get-parameter --name /cfn-secret-provider-demo-api-key --with-decryption


By using the Encrypted content option of the CloudFormation Secret provider, you can
specify given secrets in CloudFormation and deploy them safely to the SSM parameter store.
Got to here? You probably like deploying private key pairs and deploying ACM certificates with CloudFormation.

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts