amazon web services - Dynamic References to Specify Secret Manager Values in AWS Cloudformation

Question

Welcome To Ask or Share your Answers For Others

amazon web services - Dynamic References to Specify Secret Manager Values in AWS Cloudformation

asked Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

amazon web services - Dynamic References to Specify Secret Manager Values in AWS Cloudformation

Is there anyway we can pass dynamic references to Secret Manager to AWS Launch Config User Data?

Here is the code snippet I tried:

"SampleLaunchConfig": {
            "Type": "AWS::AutoScaling::LaunchConfiguration",
             "Properties": {
                "ImageId": {
                    "Fn::FindInMap": [
                        "AWSRegionArch2AMI",
                        {
                            "Ref": "AWS::Region"
                        },
                        "AMI"
                    ]
                },
                "UserData": {
                    "Fn::Base64": {
                        "Fn::Join": [
                            "",
                            [
                                "#!/bin/bash -xe
",
                                "yum update -y
",
                                "useradd -p <<pwd>>{{resolve:secretsmanager:Credentials:SecretString:userName}}
",
                                "
"
                            ]
                        ]
                    }
                }
        }
    }

Seems error in getting the useradd: invalid user name '{{resolve:secretsmanager:Credentials:SecretString:userName}}'

How can I pass Secret Manager secret value to cloudformation user data ?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Answer

深蓝 · Answer 1 · 2021-10-23T17:48:30+0000

It seems that {{resolve:...}} dynamic references are only expanded in certain contexts within a template.

There is no precise information in the AWS docs about exactly where in a template you can use these references. The current wording with regard to {{resolve:secretsmanager:...}} says:

"The secretsmanager dynamic reference can be used in all resource properties"

However this is contradicted by your example, and I've also observed dynamic references failing to resolve inside of CloudFormation::Init data.

I have an active Support case open with AWS about this, they have agreed that the behaviour of dynamic references is inadequately documented. I'll update this answer as I learn more.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager

Categories

amazon web services - Dynamic References to Specify Secret Manager Values in AWS Cloudformation

amazon web services - Dynamic References to Specify Secret Manager Values in AWS Cloudformation

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags