Retrieve a secret in an AWS CloudFormation resource - AWS Secrets Manager

Retrieve a secret in an AWS CloudFormation resource

With AWS CloudFormation, you can retrieve a secret to use in another AWS CloudFormation resource. A common scenario is to first create a secret with a password generated by Secrets Manager, and then retrieve the username and password from the secret to use as credentials for a new database. For information about creating secrets with AWS CloudFormation, see Create secrets in AWS CloudFormation.

To retrieve a secret in a AWS CloudFormation template, you use a dynamic reference.

A dynamic reference for a secret has the following pattern:

{{resolve:secretsmanager:secret-id:SecretString:json-key:version-stage:version-id}}
secret-id

The name or ARN of the secret. To access a secret in your AWS account, you can use the secret name. To access a secret in a different AWS account, use the ARN of the secret.

json-key (Optional)

The key name of the key-value pair whose value you want to retrieve. If you don't specify a json-key, AWS CloudFormation retrieves the entire secret text. This segment may not include the colon character ( :).

version-stage (Optional)

The version of the secret to use. Secrets Manager uses staging labels to keep track of different versions during the rotation process. If you use version-stage then don't specify version-id. If you don't specify either version-stage or version-id, then the default is the AWSCURRENT version. This segment may not include the colon character ( :).

version-id (Optional)

The unique identifier of the version of the secret to use. If you specify version-id, then don't specify version-stage. If you don't specify either version-stage or version-id, then the default is the AWSCURRENT version. This segment may not include the colon character ( :).

For more information, see Using dynamic references to specify Secrets Manager secrets.

Example: Use a secret to set a database password

This example retrieves the username and password values stored in the MyRDSSecret secret and uses them as the username and password for the Amazon RDS DB instance.

The MyRDSSecret secret value looks like this:

{ "engine": "mysql", "username": "admin", "password": "EXAMPLE-PASSWORD", "host": "my-database-endpoint.us-east-2.rds.amazonaws.com", "dbname": "myDatabase", "port": "3306" }

For information about creating resources with AWS CloudFormation, see Learn template basics in the AWS CloudFormation User Guide.

JSON

{ "MyRDSInstance": { "Type": "AWS::RDS::DBInstance", "Properties": { "DBName": "MyRDSInstance", "AllocatedStorage": "20", "DBInstanceClass": "db.t2.micro", "Engine": "mysql", "MasterUsername": "{{resolve:secretsmanager:MyRDSSecret:SecretString:username}}", "MasterUserPassword": "{{resolve:secretsmanager:MyRDSSecret:SecretString:password}}" } } }

YAML

MyRDSInstance: Type: 'AWS::RDS::DBInstance' Properties: DBName: MyRDSInstance AllocatedStorage: '20' DBInstanceClass: db.t2.micro Engine: mysql MasterUsername: '{{resolve:secretsmanager:MyRDSSecret:SecretString:username}}' MasterUserPassword: '{{resolve:secretsmanager:MyRDSSecret:SecretString:password}}'