Create secrets in AWS CloudFormation
You can create secrets in a CloudFormation stack by using the
AWS::SecretsManager::Secret
resource in a CloudFormation template.
A common scenario is to first create a secret with a password generated by Secrets Manager, and then use a dynamic reference to retrieve the username and password from the secret to use as credentials for a new database. See the examples below.
To attach a resource policy to your secret, use the
AWS::SecretsManager::ResourcePolicy
resource.
If the secret contains Amazon RDS, Amazon Redshift, or Amazon DocumentDB credentials, to turn on automatic rotation
for a secret, use the
AWS::SecretsManager::SecretTargetAttachment
resource to add details about the
database to the secret that Secrets Manager needs to rotate the secret. Then use the
AWS::SecretsManager::RotationSchedule
resource to turn on automatic rotation.
You specify both the Lambda rotation function and the rotation schedule in this resource. For a
secret that contains Amazon RDS, Amazon Redshift, or Amazon DocumentDB credentials, use one of the provided Rotation function
templates.
For other types of secrets, you create your own rotation function and then use the
AWS::SecretsManager::RotationSchedule
resource to turn on automatic rotation.
Secrets Manager provides a Generic rotation function template that you can use as a starting
point.
For information about creating resources with AWS CloudFormation, see Learn template basics in the AWS CloudFormation User Guide. You can also use the AWS Cloud Development Kit (CDK). For more information, see AWS Secrets Manager Construct Library.
Examples