×

Deploying secrets with AWS CloudFormation

One of the biggest pains we encounter in creating immutable infrastructures with CloudFormation, is dealing with secrets. Secrets
must be passed into the CloudFormation templates to make them different per environment. These secrets must be given out to the development teams, so that they can do something useful with them. Before you know it, your secrets are compromised.

Fork me on GitHub With this Custom CloudFormation Resource we put an end to that. Secrets are generated as a CloudFormation Resource and stored in the EC2 parameter store. This means that we do not have to store the secrets anywhere unsafe and applications can get access to the secrets in a controlled manner.

How does it work?

It is quite easy: you specify a CloudFormation resource of the Custom::Secret, as follows:

Resources:
  DBPassword:
    Type: Custom::Secret
    Properties:
      Name: /postgres/root/PGPASSWORD
      KeyAlias: alias/aws/ssm
      Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
      Length: 30
      ReturnSecret: true
      Version: v1
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

After the deployment, a 30 character random string can be found in the EC Parameter Store with the name /postgres/root/PGPASSWORD. If you need to access the secret in your cloudformation module, you need to specify ReturnSecret and reference it as the attribute Secret.

     MasterUserPassword: !GetAtt 'DBPassword.Secret'

Installation

To install this Custom Resource, type:

git clone https://github.com/binxio/cfn-secret-provider.git
cd cfn-secret-provider

aws cloudformation create-stack \
	--capabilities CAPABILITY_IAM \
	--stack-name cfn-secret-provider \
	--template-body \
	file://cloudformation/cfn-custom-resource-provider.yaml 

aws cloudformation wait stack-create-complete  \
	--stack-name cfn-secret-provider 

This CloudFormation template will use our pre-packaged provider from

s3://binxio-public/lambdas/cfn-secret-provider-latest.zip

Demo

To install the simple sample of the Custom Resource, type:

aws cloudformation create-stack \
	--capabilities CAPABILITY_NAMED_IAM \
	--stack-name cfn-secret-provider-demo \
	--template-body file://cloudformation/demo-stack.yaml

aws cloudformation wait stack-create-complete  \
	--stack-name cfn-secret-provider-demo

to validate the result, type:

aws ssm get-parameter --name /postgres/root/PGPASSWORD  --with-decryption

Conclusion

By using the CloudFormation Secret provider:

  • secrets are generated per environment.
  • secrets can be updated.
  • always stored encrypted in the parameter store .
  • where access to the secrets is audited and controlled!

If you have a 3rd party secret like an API key, checkout deploying given secrets. If you want to deploy a private key pair, checkout deploying private key pairs. In addition we automated the deployment of ACM certificates with CloudFormation.

Picture of Mark van Holsteijn
Mark van Holsteijn
CTO