AWS::SecretsManager::SecretTargetAttachment
The AWS::SecretsManager::SecretTargetAttachment
resource completes the final
link between a Secrets Manager secret and the associated database by adding the database
connection information to the secret JSON. If you want to turn on automatic rotation
for a database credential secret, the secret must contain the database connection information.
For more information, see JSON structure
of Secrets Manager database credential secrets.
For Amazon RDS master user credentials, see AWS::RDS::DBCluster MasterUserSecret.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SecretsManager::SecretTargetAttachment", "Properties" : { "SecretId" :
String
, "TargetId" :String
, "TargetType" :String
} }
YAML
Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId:
String
TargetId:String
TargetType:String
Properties
SecretId
-
The ARN or name of the secret. To reference a secret also created in this template, use the see Ref function with the secret's logical ID.
Required: Yes
Type: String
Update requires: No interruption
TargetId
-
The ID of the database or cluster.
Required: Yes
Type: String
Update requires: No interruption
TargetType
-
A string that defines the type of service or database associated with the secret. This value instructs Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following:
-
AWS::RDS::DBInstance
-
AWS::RDS::DBCluster
-
AWS::Redshift::Cluster
-
AWS::DocDB::DBInstance
-
AWS::DocDB::DBCluster
Required: Yes
Type: String
Update requires: No interruption
-
Return values
Ref
When you pass the logical ID of an
AWS::SecretsManager::SecretTargetAttachment
resource to the intrinsic
Ref
function, the function returns the ARN of the secret, such as:
arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c
You can use the ARN to reference a secret you created in one part of the stack template from within the definition of another resource from a different part of the same template.
For more information about using the Ref
function, see Ref.
Examples
Creating a Redshift cluster
The following example creates a secret and an Amazon Redshift
resource as defined by the TargetType
using the credentials found in the secret as the new
Amazon Redshift user and password. Then the code updates the secret with
the connection details of the AWS resource by defining the
SecretTargetAttachment
object.
YAML
AWSTemplateFormatVersion: '2010-09-09' Resources: MyRedshiftSecret: Type: AWS::SecretsManager::Secret Properties: Description: This is a Secrets Manager secret for a Redshift cluster GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: password PasswordLength: 16 ExcludeCharacters: "\"'@/\\" MyRedshiftCluster: Type: AWS::Redshift::Cluster Properties: DBName: myjsondb MasterUsername: Fn::Sub: "{{resolve:secretsmanager:${MyRedshiftSecret}::username}}" MasterUserPassword: Fn::Sub: "{{resolve:secretsmanager:${MyRedshiftSecret}::password}}" NodeType: ds2.xlarge ClusterType: single-node SecretRedshiftAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: Ref: MyRedshiftSecret TargetId: Ref: MyRedshiftCluster TargetType: AWS::Redshift::Cluster