So I'm trying to retrieve secret to use as global variable but so far I have no success...
Globals:
Function:
Tracing: Active
Timeout: 60
Environment:
Variables:
AES_KEY: !Ref AesKey
AesKey:
Type: String
Default: !Ref 'mysecretarn'
I don't know what I'm doing wrong, I guess it's about the Reference and string type, but it give me an error, that Every default member must be a string
Secret is stored in Secrets Manager as plain text if that helps
Tried different approaches with building with,Sub and ${} within quotes ("") and so on, so far I have not found a solution for this
I feel your providing an example is a little confusing... But retrieving secrets from AWS secret manager at the cloud formation template, you can do like this
Explanation:
MasterUsername
and MasterUserPassword
under Resources: PostgresRDS
will get the value which store in the secret manager
${EnvType}
will get the Value from the Parameters
section, here the value will be staging
as Default. ${AWS::StackName}
will be the AWS pseudo parameters. Reference link: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.htmlParameters:
EnvType:
Description: Environment type.
Default: staging
Type: String
Resources:
PostgresRDS:
Type: AWS::RDS::DBInstance
DependsOn: RDSDBSubnetGroup
DeletionPolicy: Delete
Properties:
DBInstanceIdentifier: !Join ['-', [!Ref EnvType, 'rds']]
DBName: !Join ['', [!Ref EnvType, 'Rds']]
Engine: 'postgres'
EngineVersion: 13.4
MasterUsername: !Sub '{{resolve:secretsmanager:${AWS::StackName}-${EnvType}-rs-rds:SecretString:username}}'
MasterUserPassword: !Sub '{{resolve:secretsmanager:${AWS::StackName}-${EnvType}-rs-rds:SecretString:password}}'
DBInstanceClass: db.t3.micro
AllocatedStorage: 20
StorageType: gp2
StorageEncrypted: true
BackupRetentionPeriod: 7
AvailabilityZone: !Select [ 0, !GetAZs '' ]
MultiAZ: false # true
Port: 5432
# DeletionProtection: true
PubliclyAccessible: true
DBParameterGroupName: !Ref Postgres13ParameterGroup
VPCSecurityGroups:
- !GetAtt RdsSecurityGroup.GroupId
DBSubnetGroupName: !Ref RDSDBSubnetGroup
Tags:
- Key: environment
Value: !Ref EnvType
Just in case you want to use the AWS CLI to create the aws secret
StackName=111
EnvType=staging
DB_username=admin
DB_password=xxx
# aws secretsmanager create-secret --name $StackName-$EnvType-rs-rds --description "Example for retrieval secret to CFN" --secret-string "{\"username\":\"$DB_username\",\"password\":\"$DB_password\"}"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.