AWS CloudFormation
User Guide (API Version 2010-05-15)

Secrets Manager Secret GenerateSecretString

You can use the GenerateSecretString property as part of the AWS::SecretsManager::Secret resource type to dynamically generate a random text string to use as a password. It is an alternative to 'hardcoding' a password directly in the SecretString property. When you generate a AWS::SecretsManager::Secret resource type, you must include one or the other, but not both.

SecretString enables you to place a literal value directly into the secret (a technique that we recommend that you avoid). Instead, we recommend that you use the GenerateSecretString property to dynamically generate a random password. The operation returns a complete JSON structure to use as the secret value. The structure begins with the string that you supply using SecretStringTemplate. This template string must be a properly formatted JSON string that contains all of the secret value information except the password. The operation then generates a random password using the rules specified by the other parameters. Finally, the operation inserts the generated password into the secret value structure along with the JSON key name that's specified by the GenerateStringKey parameter.

For examples, see AWS::SecretsManager::Secret.

GenerateSecretString is a property of the AWS::SecretsManager::Secret resource.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "ExcludeUppercase" : Boolean, "RequireEachIncludedType" : Boolean, "IncludeSpace" : Boolean, "ExcludeCharacters" : String, "GenerateStringKey" : String, "PasswordLength" : Integer, "ExcludePunctuation" : Boolean, "ExcludeLowercase" : Boolean, "SecretStringTemplate" : String, "ExcludeNumbers" : Boolean }

Properties

ExcludeUppercase

Specifies that the generated password shouldn't include uppercase letters. The default if you don't include this switch parameter is False, and the generated password can include uppercase letters.

Required: No

Type: Boolean

Update requires: No interruption

RequireEachIncludedType

Specifies whether the generated password must include at least one of every allowed character type. The default if you don't include this switch is True, and the generated password includes at least one of every character type.

Required: No

Type: Boolean

Update requires: No interruption

IncludeSpace

Specifies that the generated password can include the space character. The default if you don't include this switch parameter is False, and the generated password doesn't include any space characters.

Required: No

Type: Boolean

Update requires: No interruption

ExcludeCharacters

A string that includes characters that shouldn't be included in the generated password. The default if you don't include this parameter is that all characters from the included sets are candidates for inclusion in the generated password. The string can be a minimum length of 0 characters and a maximum length of 4096 characters.

Required: No

Type: String

Update requires: No interruption

GenerateStringKey

The JSON key name that's used to add the generated password to the JSON structure specified by the SecretStringTemplate parameter. If you specify this parameter, then you must also specify SecretStringTemplate.

Required: No

Type: String

Update requires: No interruption

PasswordLength

The desired length of the generated password. The default value if you don't include this parameter is 32 characters.

Required: No

Type: Integer

Update requires: No interruption

ExcludePunctuation

Specifies that the generated password shouldn't include punctuation characters. The default if you don't include this switch parameter is False, and the generated password can include punctuation characters.

The following are the punctuation characters that can be included in the generated password if you don't explicitly exclude them with ExcludeCharacters or ExcludePunctuation:

! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

Required: No

Type: Boolean

Update requires: No interruption

ExcludeLowercase

Specifies that the generated password shouldn't include lowercase letters. The default if you don't include this switch parameter is False, and the generated password can include lowercase letters.

Required: No

Type: Boolean

Update requires: No interruption

SecretStringTemplate

A properly structured JSON string that the generated password can be added to. If you specify this parameter, then you must also specify GenerateStringKey. That key is combined with the generated random string and inserted into the JSON structure that's specified by this parameter. The merged JSON string is returned as the completed SecretString of the secret. The default if you don't include this parameter is that the generated random password string is returned by itself, and isn't embedded in a JSON structure.

Required: No

Type: String

Update requires: No interruption

ExcludeNumbers

Specifies that the generated password shouldn't include digits. The default if you don't include this switch parameter is False, and the generated password can include digits.

Required: No

Type: Boolean

Update requires: No interruption

See Also

On this page: