A simple example using AWS CloudFormation that creates an IAM User and then stores the user’s AccessKey and SecretKey within AWS Secrets Manager to get a hold of the value (which otherwise only exists once at creation).

AWSTemplateFormatVersion: "2010-09-09"
Description: A simple secrets example

Parameters:
  # None

Resources:
  BudgetReadOnlyUser:
    Type: AWS::IAM::User
    Properties:
      UserName: "BudgetReader"
      Path: /budget/
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSBudgetsReadOnlyAccess
      Tags:
        - Key: environment
          Value: !Ref Environment
        - Key: wsi_owner
          Value: !Ref WSIOwner
        - Key: project_code
          Value: !Ref ProjectCode
        - Key: budget_code
          Value: !Ref BudgetCode
        - Key: function
          Value: "Budgets"
  
  AccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref BudgetReadOnlyUser

  AccessKeyStored:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub /budget/credentials/${BudgetReadOnlyUser}
      SecretString: !Sub '{"ACCESS_KEY":"${AccessKey}","SECRET_KEY":"${AccessKey.SecretAccessKey}"}'

Outputs:
   # None

Assuming your user account has access to AWS Secrets Manager, you’ll then find it available here:

Click “Retrieve Secret Value” to show the hidden stored secret values.

Bear in mind that each secret carries a $0.40 per month cost.

Additional Information

https://stackoverflow.com/questions/40865710/declaring-an-iam-access-key-resource-by-cloudformation

Simple AWS Secrets Manager Example

Additional Information

Leave a comment Cancel reply