I am trying to fetch pre existing secrets from the aws-secretsmanager module on CDK, and from the documentation here, the suggestion is
If you need to use a pre-existing secret, the recommended way is to
manually provision the secret in AWS SecretsManager and use the
Secret.fromSecretArn or Secret.fromSecretAttributes method to make it
available in your CDK Application
However, both the methods demand the use of the arn to fetch the secrets. I am not sure if it is a good idea to hardcode arns and check them into the git repo. Instead is there a way to just fetch the secrets by just using the name, since we already have the account details available in the profile for cdk.
At least until this current version (1.38.0), it’s not possible. An alternative is to save the secret arn in the SSM parameter store and use the ssm key in the code.
Putting full ARNs in CFN should not be a concern. Since you are creating these secrets ahead of time, their name, account, and region will be know. If you wish, however, you could still use the CFN psuedo parameters for partition, region, and account (AWS::Partition, AWS::Region, AWS::AccountId or the CDK equivelent).
Related
In Terraform can read the values from Vault (stored in AWS SSM as secure strings). However, with CDK we have to put it in SSM or secrets manager and read the value in CDK. Is there a way CDK can read from the Vault?
It should be possible using AWS Custom Resources. AWS CDK provides a way to create custom resources that respond to CloudFormation's CRUD events (https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html).
According to the AWS Custom Resource docs, "return values are defined by the custom resource provider, and are retrieved by calling Fn::GetAtt on the provider-defined attributes". So after creating a custom resource that returns your Hashicorp Vault key as an attribute, you can have another resource reference that value using Fn::GetAtt in CDK, and the value should not get publicly exposed in the CloudFormation template.
Another alternative could be to sync secret values between Hashicorp Vault and AWS SSM/SecretsManager.
I'm wondering if something is possible at all, or I'm trying to build something that is not possible from the start.
Let's say within Account A there is an RDS DB Password, (can be any AWS resource ID or value) that I have stored in Secrets Manager or Parameter Store.
Now I want to use that value in AWS CDK in Account B, is this possible?
It is possible to retrieve the value based on ARN, see: https://bobbyhadz.com/blog/get-secrets-manager-values-aws-cdk#get-secrets-manager-value-by-arn---alternative but would this work cross-account?
You can attach a policy to your secret granting access to other AWS account. Check https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/
is there a way , to get existing AWS certificate ARN , when i am in my serverless framework deployment file , i need a way to get the arn of the certificate when i know only the name of the certificate
You can usually infer the the entire structure of ARN's inside AWS. For example this is the ARN of a DynamoDB table in my AWS account (the X's are my account ID):
arn:aws:dynamodb:us-east-1:XXXXXXXXXXX:table/awesome-mytable-dev
These ARN's are the same structure every time:
arn:aws:[service name]:[region name or blank]:[accountID]:[entity
within the service]/[name of entity]
Try manually creating a certificate, then seeing how the ARN is structured, then just "build" the ARN you need to match the same structure. Recent versions of the Serverless Framework even allow you to add in your AWS information as variables using ${aws:region} or ${aws:accountId}.
I've got a question around using parameters in Cloudformation and more generally best practices around using secrets in Clouformation.
I have a template that defines our CI servers in an autoscaling group. We could in theory stand up many of these stacks. The templates are stored in source control along with parameters.json files use to specify the details of the stack (e.g. instance type, autoscaling conditions etc.). One of those parameters is a token that allows the CI server to interact with our CI provider, I don't want to store the token in source control. I want someone to be prompted for it or be forced to pass it when creating or updating the stack.
Ideally what I'm imagining is something like this, but obviously this is invalid
aws cloudformation create-stack --stack-name <name> --template-body file://<template> --parameters file://<parameters-file.json> TokenParameter=xxxyyyzzz
Does anyone have any suggestions?
Many Thanks
Hopefully this helps someone 2+ years later...
I solved this will a little help of jq. I'm on a mac, so that's a simple brew install jq
My goal was to use a default file of parameters, but wanted to pass my github oauth as a secret this one time. To the point above of storing secrets in other / better places, that's ideal, but I believe can be overkill for all situations. Mine for example was just lab based work.
aws cloudformation create-stack --stack-name "codepipeline-test"
--template-body file://codepipeline-test.yml
--parameters $(cat codepipeline-test-params.json | jq -r '.[]
| "ParameterKey=" + .ParameterKey + ",ParameterValue=" + .ParameterValue')
ParameterKey="GitHubOAuthToken",
ParameterValue="1234567890826xxxxxxxxxx753dde68858ac2169"
--tags '[{"Key": "Name","Value": "codedepipeline-test"},
{"Key": "Owner","Value": "username"}]' --capabilities CAPABILITY_NAMED_IAM
FYI in the CF Template I define the github oath param to be a secret (hide in GUI) as follows:
GitHubOAuthToken:
Description: A valid access token for GitHub that has admin access to the GitHub Repo you specify
Type: String
NoEcho: true
MinLength: 40
MaxLength: 40
AllowedPattern: '[a-z0-9]*'
For any sort of token/secret type interaction, I would actually go on the side of recommend using Systems Manager Parameter Store. The advantage is it centralizes your credential store so that if you need to rotate credentials for any reason it's just one place to change. You can also encrypt the creds for additional security.
As this is an AWS service you can use the SDK/CLI to pull the value. This could either be a user data script with an IAM role that allows systems manager access (as well as all other access) to pull the parameter and place it in the respective file. Another option is to utilize the SDK to pull down credential on demand, though that would require support in your CI code for pulling that off.
One caveat to this is that you would need the parameter setup ahead of time before launching the auto scaling group, which would make including the parameter as part of the CF template a bit difficult.
Is it possible to provide the credential in each request in a way like
aws sns create-topic my_topic --ACCESS-KEY XXXX --SECRET-KEY XXXX
Instead of doing aws configure before I make the call.
I know that credential management can be done by using --profile like Using multiple profiles but that requires me to save the credential, which I cannot do. I'm depending on the user to provide me the key as parameter input. Is it possible?
I believe the closest option to what you are looking for would be to set the credentials as environment variables before invoking the AWS CLI.
One option is to export the environment variables that control the credentials and then call the desired CLI. The following works for me in bash:
$ export AWS_ACCESS_KEY_ID=AKIXXXXXXXXXXXXXXXX AWS_SECRET_ACCESS_KEY=YhTYxxxxxxxxxxxxxxVCSi; aws sns create-topic my_topic
You may also want to take a look at: Configuration Settings and Precedence
There is another way. Instead of "export"ing, just run the command like:
AWS_ACCESS_KEY_ID=AAAA AWS_SECRET_ACCESS_KEY=BBB aws ec2 describe-regions
This will ensure that the credentials are set only for the command.
Your best bit would be to use IAM Role for Amazon ec2 instance. That way you don't need to worry about the credentials at all. Also they keys will be rotated periodically.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html