Get an AWS Secrets Manager secret in an AWS CloudFormation resource - AWS Secrets Manager

Get an AWS Secrets Manager secret in an AWS CloudFormation resource

With AWS CloudFormation, you can retrieve a secret to use in another AWS CloudFormation resource. A common scenario is to first create a secret with a password generated by Secrets Manager, and then retrieve the username and password from the secret to use as credentials for a new database. For information about creating secrets with AWS CloudFormation, see Create AWS Secrets Manager secrets in AWS CloudFormation.

To retrieve a secret in a AWS CloudFormation template, you use a dynamic reference. When you create the stack, the dynamic reference pulls the secret value into the AWS CloudFormation resource, so you don't have to hardcode the secret information. Instead, you refer to the secret by name or ARN. You can use a dynamic reference for a secret in any resource property. You can't use a dynamic reference for a secret in resource metadata such as AWS::CloudFormation::Init because that would make the secret value visible in the console.

A dynamic reference for a secret has the following pattern:

{{resolve:secretsmanager:secret-id:SecretString:json-key:version-stage:version-id}}
secret-id

The name or ARN of the secret. To access a secret in your AWS account, you can use the secret name. To access a secret in a different AWS account, use the ARN of the secret.

json-key (Optional)

The key name of the key-value pair whose value you want to retrieve. If you don't specify a json-key, AWS CloudFormation retrieves the entire secret text. This segment may not include the colon character ( :).

version-stage (Optional)

The version of the secret to use. Secrets Manager uses staging labels to keep track of different versions during the rotation process. If you use version-stage then don't specify version-id. If you don't specify either version-stage or version-id, then the default is the AWSCURRENT version. This segment may not include the colon character ( :).

version-id (Optional)

The unique identifier of the version of the secret to use. If you specify version-id, then don't specify version-stage. If you don't specify either version-stage or version-id, then the default is the AWSCURRENT version. This segment may not include the colon character ( :).

For more information, see Using dynamic references to specify Secrets Manager secrets.

Note

Do not create a dynamic reference using a backslash (\) as the final value. AWS CloudFormation can't resolve those references, which causes a resource failure.