How to assign precreated AWS secret to RDS cluster

Question

Hi, I found I cannot assign a pre created AWS secret to DBCluster with CFN.
say I have a secret created:

```
DbSecret:
  Type: AWS::SecretsManager::Secret
  Properties:
    ...
```
And in my DBcluster defination:

```
DbCluster:
  Type: AWS::RDS::DBCluster
  Properties:
    ...
    ManageMasterUserPassword: true
    MasterUserSecret:
      SecretArn: !Ref DbSecret
    ...
```
this will not work.
And as I tested:
having `ManageMasterUserPassword: true` , CFN will create a secret and assign it to DBCluster.
having `ManageMasterUserPassword: false`, I got error: `UPDATE_FAILED Resource handler returned message: "MasterUserPassword must be provided when ManageMasterUserPassword is set to false.`
I can achieve something similiar with:
```
      MasterUsername: !Sub '{{resolve:secretsmanager:${DbSecret}:SecretString:username}}'
      MasterUserPassword: !Sub '{{resolve:secretsmanager:${DbSecret}:SecretString:password}}'
```
but this results a hardcoded username and password, which will break when the rotation happens.

So my question is, can I assign `DbSecret` to my cluster at CFN level? And what is point of having `MasterUserSecret`? It seems useless or broken.

re:Post Agent · Answer

You're correct that assigning a pre-created AWS Secrets Manager secret to an RDS DB cluster using CloudFormation (CFN) is not straightforward, and there are some limitations to consider.

The `MasterUserSecret` property in the `AWS::RDS::DBCluster` resource is primarily designed as a return value, not an input. When you set `ManageMasterUserPassword` to true, RDS automatically creates and manages a secret for the master user password. This secret is then returned in the `MasterUserSecret` property, which you can reference in other parts of your stack if needed.

You cannot directly assign a pre-created secret to the `MasterUserSecret` property. This is why your attempt to set the `SecretArn` didn't work as expected.

The approach you mentioned using the `resolve` function with Secrets Manager is a valid workaround:

```yaml
MasterUsername: !Sub '{{resolve:secretsmanager:${DbSecret}:SecretString:username}}'
MasterUserPassword: !Sub '{{resolve:secretsmanager:${DbSecret}:SecretString:password}}'
```

However, you're right to be concerned about rotation. When the secret is rotated, these values won't automatically update in your RDS cluster.

To address this, you have a few options:

1. Use the RDS-managed secret by setting `ManageMasterUserPassword: true` and let RDS handle the creation and rotation of the secret.

2. If you need to use a pre-created secret, you can use the `resolve` function as shown above, but you'll need to implement a custom solution to update the RDS cluster when the secret rotates. This could involve using a Lambda function triggered by secret rotation events.

3. Consider using IAM database authentication instead of password authentication if your use case allows it. This can be more secure and easier to manage.

The `MasterUserSecret` property, while it may seem limited, serves the purpose of returning the ARN and other details of the RDS-managed secret when you use `ManageMasterUserPassword: true`. This can be useful for retrieving the secret details in other parts of your infrastructure or application.

In summary, while you can't directly assign a pre-created secret to an RDS cluster at the CFN level, you can use the `resolve` function as a workaround. However, for simplicity and automatic rotation, using the RDS-managed secret (`ManageMasterUserPassword: true`) is often the recommended approach.  
**Sources**  
[Password management with Amazon RDS and AWS Secrets Manager - Amazon Relational Database Service](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)  
[Amazon Relational Database Service (Amazon RDS) controls - AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/rds-rules.html)  
[Get a secret or secret value from Secrets Manager - AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references-secretsmanager.html)  
[AWS::RDS::DBCluster MasterUserSecret - AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-masterusersecret.html)

How to assign precreated AWS secret to RDS cluster

Add your answer

Relevant content