Retrieve a secret from manager and use it in ec2 cfn-init

Question

I'm trying to use a secret in the cfn-init of a EC2 instance in CloudFormation. Based on Secrets Manager Secrets it should not be difficult but what I'm trying is to use it as part of the command, in my case:

01_login_in_docker:
          command: !Join
            - ' '
            - - 'docker login -u '
              - '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} '
              - '-p '
              - '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} '
              - 'cloud.canister.io:5000'

docker-info is a secret stored in my account and therefore I supposedly only need the name to access to the keys, not the ARN.

Reviewing cfn-init.log I see that CF is not resolving anything:

[ERROR] Command 01_login_in_docker (docker login -u {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} -p {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} cloud.canister.io:5000) failed

Has anyone tried something similar or could spot where is my problem?

Answer 1

It's not explicitly mentioned, but all the examples use dynamic references as a whole value and not as part of another string. So maybe try passing those as environment variables. It should be a bit more secure too as the logs won't contain the password in the command.

    01_login_in_docker:
      command: |
        docker login -u "$DOCKER_ACCOUNT_USERNAME" -p "$DOCKER_ACCOUNT_PASSWORD" cloud.canister.io:5000
      env:
        DOCKER_ACCOUNT_USERNAME: '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}}'
        DOCKER_ACCOUNT_PASSWORD: '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}}'