Get an AWS Secrets Manager secret in an AWS CloudFormation resource
With AWS CloudFormation, you can retrieve a secret to use in another AWS CloudFormation resource. A common scenario is to first create a secret with a password generated by Secrets Manager, and then retrieve the username and password from the secret to use as credentials for a new database. For information about creating secrets with AWS CloudFormation, see Create AWS Secrets Manager secrets in AWS CloudFormation.
To retrieve a secret in an AWS CloudFormation template, you use a dynamic
reference. When you create the stack, the dynamic reference pulls the secret
value into the AWS CloudFormation resource, so you don't have to hardcode the secret information.
Instead, you refer to the secret by name or ARN. You can use a dynamic reference for a
secret in any resource property. You can't use a dynamic reference for a secret in resource
metadata such as AWS::CloudFormation::Init
because that would make the secret
value visible in the console.
A dynamic reference for a secret has the following pattern:
{{resolve:secretsmanager:
secret-id
:SecretString:json-key
:version-stage
:version-id
}}
- secret-id
-
The name or ARN of the secret. To access a secret in your AWS account, you can use the secret name. To access a secret in a different AWS account, use the ARN of the secret.
- json-key (Optional)
-
The key name of the key-value pair whose value you want to retrieve. If you don't specify a
json-key
, AWS CloudFormation retrieves the entire secret text. This segment may not include the colon character (:
). - version-stage (Optional)
-
The version of the secret to use. Secrets Manager uses staging labels to keep track of different versions during the rotation process. If you use
version-stage
then don't specifyversion-id
. If you don't specify eitherversion-stage
orversion-id
, then the default is theAWSCURRENT
version. This segment may not include the colon character (:
). - version-id (Optional)
-
The unique identifier of the version of the secret to use. If you specify
version-id
, then don't specifyversion-stage
. If you don't specify eitherversion-stage
orversion-id
, then the default is theAWSCURRENT
version. This segment may not include the colon character (:
).
For more information, see Using dynamic references to specify Secrets Manager secrets.
Note
Do not create a dynamic reference using a backslash (\)
as the final value. AWS CloudFormation can't resolve those references, which causes a resource failure.