# Create AWS Secrets Manager secrets in AWS CloudFormation
<a name="cloudformation"></a>

You can create secrets in a CloudFormation stack by using the `[ AWS::SecretsManager::Secret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html)` resource in a CloudFormation template, as shown in [Create a secret](cfn-example_secret.md). 

To create an admin secret for Amazon RDS or Aurora, we recommend you use `ManageMasterUserPassword` in [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html). Then Amazon RDS creates the secret and manages rotation for you. For more information, see [Managed rotation](rotate-secrets_managed.md).

For Amazon Redshift and Amazon DocumentDB credentials, first create a secret with a password generated by Secrets Manager, and then use a [dynamic reference](cfn-example_reference-secret.md) to retrieve the username and password from the secret to use as credentials for a new database. Next, use the `[ AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html)` resource to add details about the database to the secret that Secrets Manager needs to rotate the secret. Finally, to turn on automatic rotation, use the `[ AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)` resource and provide a [rotation function](reference_available-rotation-templates.md) and a [schedule](rotate-secrets_schedule.md). See the following examples:
+ [Create a secret with Amazon Redshift credentials](cfn-example_Redshift-secret.md)
+ [Create a secret with Amazon DocumentDB credentials](cfn-example_DocDB-secret.md)

To attach a resource policy to your secret, use the `[ AWS::SecretsManager::ResourcePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html)` resource.



For information about creating resources with CloudFormation, see [Learn template basics](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/gettingstarted.templatebasics.html) in the CloudFormation User Guide. You can also use the AWS Cloud Development Kit (AWS CDK). For more information, see [AWS Secrets Manager Construct Library](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-secretsmanager-readme.html).

## How Secrets Manager uses AWS CloudFormation
<a name="how-asm-uses-cfn"></a>

When you use the console to turn on rotation, Secrets Manager uses AWS CloudFormation to create resources for rotation. If you create a new rotation function during that process, CloudFormation creates an [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html) based on the appropriate [Rotation function templates](reference_available-rotation-templates.md). Then CloudFormation sets the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html), which sets the rotation function and rotation rules for the secret. You can view the CloudFormation stack by choosing **View stack** in the banner after you turn on automatic rotation.

For information about turning on automatic rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).