Deploying AWS SES access key and SMTP password to the parameter store using AWS CloudFormation

Cloud Migration Scenarios

Four scenarios to migrate to AWS – from infrastructure to ML

In AWS CloudFormation there is no way to generate the SMTP password of an AWS access key. As a result, the application always
has to do the calculation and transform the secret key into an SMTP password.

With This custom CloudFormation provider, we put an end to that. You can create an access key and SMTP password and automatically
store the credentials in the AWS Parameter Store. This means that you can create the email infrastructure and provision
SMTP credentials to applications that need to send email through Amazon Simple Email Service in a safe and controlled manner.

How does it work?

It is quite easy: you add the CloudFormation resource Custom::AccessKey, as follows:

Resources:
  AccessKey:
    Type: Custom::AccessKey
    Properties:
      content: sample user credential
      UserName: ''
      ParameterPath: ''
      ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider'

The access key id, access secret and the SMTP password are stored in the parameter store under the paths /aws_access_key_id, /aws_access_secret_key and /smtp_password respectively.

Properties

You can specify the following properties:

  • UserName – to create an access key for.
  • ParameterPath – into the parameter store to store the credentials
  • Serial – to force the access key to be recycled
  • Status – Active or Inactive
  • ReturnSecret – returns access id and access secret as attribute
  • ReturnPassword – returns access id and SMTP password as attribute
  • NoEcho – indicate whether output of the return values is replaced by *****, default True.

Return values

With ‘Fn::GetAtt’ the following values are available:

  • SMTPPassword – the SMTP password based for the access key (if ReturnPassword is true).
  • AccessSecretKey – the secret part of the access key (if ReturnSecret is true).

For more information about using Fn::GetAtt, see Fn::GetAtt.

Installation

To install this Custom Resource, type:

git checkout https://github.com/binxio/cfn-secret-provider
cd cfn-secret-provider

aws cloudformation create-stack \
 --capabilities CAPABILITY_IAM \
 --stack-name cfn-secret-provider \
 --template-body \
 file://cloudformation/cfn-custom-resource-provider.json 

aws cloudformation wait stack-create-complete  \
 --stack-name cfn-secret-provider 

This CloudFormation template will use our pre-packaged provider from:

s3://binxio-public-{{AWS::Region}}/lambdas/cfn-secret-provider-latest.zip

Demo

To install the simple sample from this blog post, type:

aws cloudformation create-stack \
 --stack-name cfn-secret-provider-demo \
 --template-body file://cloudformation/demo-stack.json

aws cloudformation wait stack-create-complete  \
 --stack-name cfn-secret-provider-demo

to validate the result, type:

aws ssm get-parameters-by-path --path /iam-users --recursive --with-decryption

Conclusion

By using the Custom CloudFormation Secret provider you can create an IAM Access Key and the derived SMTP password and stored in the parameter store where it is encrypted and access can be audited and controlled.

If you got this far, you may also want to deploy your SES domain identities and DKIM records using CloudFormation.

If you have any questions, do not hesitate to contact me.

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn