Create AWS Secrets Manager secrets in AWS CloudFormation
You can create secrets in a CloudFormation stack by using the
AWS::SecretsManager::Secret resource in a CloudFormation template, as shown in Create a secret.
To create an admin secret for Amazon RDS or Aurora, we recommend you use ManageMasterUserPassword in AWS::RDS::DBCluster. Then Amazon RDS creates the secret and manages rotation for you. For more information, see Managed rotation.
For Amazon Redshift and Amazon DocumentDB credentials, first create a secret with a password generated by Secrets Manager, and then
use a dynamic reference to retrieve the username and password from the secret to use as credentials for a new database. Next, use the
AWS::SecretsManager::SecretTargetAttachment resource to add details about the
database to the secret that Secrets Manager needs to rotate the secret. Finally, to turn on automatic rotation, use the
AWS::SecretsManager::RotationSchedule resource and provide a rotation function and a schedule. See the following examples:
To attach a resource policy to your secret, use the
AWS::SecretsManager::ResourcePolicy resource.
For information about creating resources with AWS CloudFormation, see Learn template basics in the AWS CloudFormation User Guide. You can also use the AWS Cloud Development Kit (AWS CDK). For more information, see AWS Secrets Manager Construct Library.
How Secrets Manager uses AWS CloudFormation
When you use the console to turn on rotation, Secrets Manager uses AWS CloudFormation to create resources for rotation. If you create a new rotation function during that process, AWS CloudFormation creates an AWS::Serverless::Function based on the appropriate Rotation function
templates. Then AWS CloudFormation sets the RotationSchedule, which sets the rotation function and rotation rules for the secret. You can view the AWS CloudFormation stack by choosing View stack in the banner after you turn on automatic rotation.
For information about turning on automatic rotation, see Rotate AWS Secrets Manager secrets.
