Create AWS Secrets Manager secrets in AWS CloudFormation - AWS Secrets Manager

Create AWS Secrets Manager secrets in AWS CloudFormation

You can create secrets in a CloudFormation stack by using the AWS::SecretsManager::Secret resource in a CloudFormation template, as shown in Create a secret.

To create an admin secret for Amazon RDS or Aurora, we recommend you use ManageMasterUserPassword in AWS::RDS::DBCluster. Then Amazon RDS creates the secret and manages rotation for you. For more information, see Managed rotation.

For Amazon Redshift and Amazon DocumentDB credentials, first create a secret with a password generated by Secrets Manager, and then use a dynamic reference to retrieve the username and password from the secret to use as credentials for a new database. Next, use the AWS::SecretsManager::SecretTargetAttachment resource to add details about the database to the secret that Secrets Manager needs to rotate the secret. Finally, to turn on automatic rotation, use the AWS::SecretsManager::RotationSchedule resource and provide a rotation function and a schedule. See the following examples:

To attach a resource policy to your secret, use the AWS::SecretsManager::ResourcePolicy resource.

For information about creating resources with AWS CloudFormation, see Learn template basics in the AWS CloudFormation User Guide. You can also use the AWS Cloud Development Kit (AWS CDK). For more information, see AWS Secrets Manager Construct Library.

How Secrets Manager uses AWS CloudFormation

When you use the console to turn on rotation, Secrets Manager uses AWS CloudFormation to create resources for rotation. If you create a new rotation function during that process, AWS CloudFormation creates an AWS::Serverless::Function based on the appropriate Rotation function templates. Then AWS CloudFormation sets the RotationSchedule, which sets the rotation function and rotation rules for the secret. You can view the AWS CloudFormation stack by choosing View stack in the banner after you turn on automatic rotation.

For information about turning on automatic rotation, see Rotate AWS Secrets Manager secrets.