Create secrets in AWS CloudFormation - AWS Secrets Manager

Create secrets in AWS CloudFormation

You can create secrets in a CloudFormation stack by using the AWS::SecretsManager::Secret resource in a CloudFormation template.

A common scenario is to first create a secret with a password generated by Secrets Manager, and then use a dynamic reference to retrieve the username and password from the secret to use as credentials for a new database. See the examples below.

To attach a resource policy to your secret, use the AWS::SecretsManager::ResourcePolicy resource.

If the secret contains Amazon RDS, Amazon Redshift, or Amazon DocumentDB credentials, to turn on automatic rotation for a secret, use the AWS::SecretsManager::SecretTargetAttachment resource to add details about the database to the secret that Secrets Manager needs to rotate the secret. Then use the AWS::SecretsManager::RotationSchedule resource to turn on automatic rotation. You specify both the Lambda rotation function and the rotation schedule in this resource. For a secret that contains Amazon RDS, Amazon Redshift, or Amazon DocumentDB credentials, use one of the provided Rotation function templates.

For other types of secrets, you create your own rotation function and then use the AWS::SecretsManager::RotationSchedule resource to turn on automatic rotation. Secrets Manager provides a Generic rotation function template that you can use as a starting point.

For information about creating resources with AWS CloudFormation, see Learn template basics in the AWS CloudFormation User Guide. You can also use the AWS Cloud Development Kit (CDK). For more information, see AWS Secrets Manager Construct Library.