Search code examples
amazon-web-servicesaws-cloudformationaws-secrets-manager

In CloudFormation how can I link RDS and Secrets Manager so I don't have to hardcode the password?

I'm doing a personal project and trying to not hard code a database password into a cloudformation template.

This is what I have so far:

  RDSPassword:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: Password for RDS Database
      GenerateSecretString:
        PasswordLength: 10
      Name: RDSPassword
  
  DBSubnetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
      DBSubnetGroupDescription: Subnet group for RDS
      DBSubnetGroupName: RDSSubnetGroup
      SubnetIds:
        - !GetAtt PrivateSubnet1.SubnetId
        - !GetAtt PrivateSubnet2.SubnetId

  RDSDatabase:
    Type: AWS::RDS::DBInstance
    Properties:
      AllocatedStorage: 5
      AvailabilityZone: eu-west-2a
      DBInstanceClass: db.t2.micro
      DBName: KenobiMySQLDB
      DBSubnetGroupName: !Ref DBSubnetGroup
      Engine: MySQL
      MasterUsername: admin
      MasterUserPassword: WHAT GOES HERE??
      VPCSecurityGroups:
        - !GetAtt RDSSecurityGroup.GroupId

In "WHAT GOES HERE" I've tried:

  • Fn::Sub: {{resolve:secretsmanager:${RDSPassword}::password}} (on a new line)
  • !Ref RDSPassword
  • !Ref RDSPassword.Id
Solution

  • You should use MasterUserSecret:

      RDSDatabase:
    Type: AWS::RDS::DBInstance
    Properties:
      AllocatedStorage: 5
      AvailabilityZone: eu-west-2a
      DBInstanceClass: db.t2.micro
      DBName: KenobiMySQLDB
      DBSubnetGroupName: !Ref DBSubnetGroup
      Engine: MySQL
      MasterUsername: admin
      MasterUserSecret: 
        KmsKeyId: ...
        SecretArn: ...
      VPCSecurityGroups:
        - !GetAtt RDSSecurityGroup.GroupId