CloudFormation: Dynamic reference to SecretManager value not working for Resource's Tag Property

Question

I want to store a secret in AWS secrets manager and retrieve it in a CloudFormation template. To test it I just put it in the value of a tag -

  MainRouteTable:
    Properties:
      Tags:
        - Key: Environment
          Value: LIVE
        - Key: Name
          Value: '{{resolve:secretsmanager:tvs:SecretString:testname}}'
      VpcId: !Ref 'VPC'
    Type: AWS::EC2::RouteTable

After I run the CloudFormation using the template and the environment is up, the value for the tag "Name" is "{{resolve:secretsmanager:tvs:SecretString:testname}}" and not the actual secret stored in testname.

I have looked all around and can not figure out what is wrong. According to the AWS docs I am doing it properly.

I can retrieve the secret fine from the CLI -

aws secretsmanager --region us-east-1 get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:xxxxxx:secret:tvs-ZVTiDO --query SecretString --output text | jq -r .testname

Any suggestions?

I followed the instructions here - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager

Answer 1

SecretString can only be used in few resources and selected properties. Tags are not supported . The supported list is:

AWS::DirectoryService::MicrosoftAD Password

AWS::DirectoryService::SimpleAD Password

AWS::ElastiCache::ReplicationGroup AuthToken

AWS::IAM::User LoginProfile Password

AWS::KinesisFirehose::DeliveryStream 

RedshiftDestinationConfiguration Password

AWS::OpsWorks::App Source Password

AWS::OpsWorks::Stack CustomCookbooksSource Password

AWS::OpsWorks::Stack RdsDbInstances DbPassword

AWS::RDS::DBCluster MasterUserPassword 

AWS::RDS::DBInstance MasterUserPassword

AWS::Redshift::Cluster MasterUserPassword

Answer 2

as a general rule, secrets will never display in AWS console, eg you can't use the im CloudFormation export, tags ect.