Why doesn't updating a secret in Secrets Manager automatically update the secret in AWS CloudFormation?

2 minute read
0

I updated my secret in AWS Secrets Manager, but the dynamic reference didn't get updated during my AWS CloudFormation stack update.

Short description

When you update a secret in Secrets Manager, CloudFormation doesn't automatically detect that the value of the secret changed. During stack updates, CloudFormation doesn't retrieve the value of the dynamic reference unless a change is made to the dynamic reference itself.

After updating the secret in Secrets Manager, you must update the CloudFormation stack and also specify the VersionId in the dynamic reference string. Specifying the VersionId is a best practice to be sure that CloudFormation retrieves the updated version of the secret.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

The following example scenario demonstrates how to update your Secrets Manager dynamic reference in CloudFormation.

1.    Dynamically reference the Secrets Manager secret in your CloudFormation template.

For example, the following CloudFormation template dynamically references a Secrets Manager secret with the secret-id mysecret and secret-string {"MyKey":"MyValue"}:

Resources:
    SG:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: '{{resolve:secretsmanager:mysecret:SecretString:MyKey}}'
            SecurityGroupIngress:
                  - IpProtocol: tcp
                    FromPort: 8080
                    ToPort: 8080
                    CidrIp: 0.0.0.0/0

Note: The preceding dynamic reference resolves to MyValue for the GroupDescription property.

2.    Update the secret in Secrets Manager by running the update-secret command through the AWS Command Line Interface (AWS CLI), and specify the secret-string. For the example scenario, the secret-string is {"MyKey":"NewValue"}.

Note: The VersionId doesn't appear on the AWS Management Console. If you updated the secret through the AWS Management Console, then run the get-secret-value command through the AWS CLI to retrieve the VersionId.

3.    Note the VersionId from the output.

Example output:

$ aws secretsmanager update-secret --secret-id mysecret --secret-string {\"MyKey\":\"NewValue\"}
{
    "ARN": "arn:aws:secretsmanager:us-east-1:xxxxxxxxxxxx:secret:mysecret-ABCDeF",
    "Name": "mysecret",
    "VersionId": "ab01234c-5d67-89ef-01gh-2ijk345l6m78"
}

Note: The VersionId "ab01234c-5d67-89ef-01gh-2ijk345l6m78" from preceding output isn't automatically applied to the dynamic reference in the CloudFormation stack.

4.    Update the stack and specify the VersionId in the dynamic reference string. For example:

Resources:
    SG:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: '{{resolve:secretsmanager:mysecret:SecretString:MyKey::ab01234c-5d67-89ef-01gh-2ijk345l6m78}}'
            SecurityGroupIngress:
                  - IpProtocol: tcp
                    FromPort: 8080
                    ToPort: 8080
                    CidrIp: 0.0.0.0/0

Note: In the preceding example template, the :: before the VersionId "ab01234c-5d67-89ef-01gh-2ijk345l6m78" is the correct syntax. This section of the dynamic reference string is left blank because the version-stage doesn't need to be specified.


AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
2 Comments

I'm sorry, this isn't a resolution that works with CloudFormation. You want us to update the secret and then change the VersionId in EVERY template using the password EVERY TIME we update a password manually?

Templates should work dynamically with your services, give us an option to simply use the latest version of a secret stored in secret manager and make redeploying that same template grab the latest secret.

Edit: This is a better solution https://stackoverflow.com/a/60067235/357291

profile picture
replied a month ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a month ago