While AWS CloudFormation templates support the native dynamic references {{resolve:service-name:reference-key}}
construct, it only supports a small list of resources notably excluding ones such as CloudFormation::Init
and UserData
. This resolver bridges that gap.
Please be sure to implement the best practice of adding NoEcho: true
on any template parameter containing secrets if you are not already. This prevents exposing the value in the console, CLI, etc.
pip install --user https://github.com/iAnomaly/sceptre-resolver-aws-secrets-manager/archive/v1.0.0.tar.gz
parameters/sceptre_user_data:
<name>: !aws_secrets_manager <secret_arn|secret_id>::<SecretBinary|SecretString>::<json_key>
parameters:
MasterUserPassword: !aws_secrets_manager mysql::SecretString::password
MasterUsername: !aws_secrets_manager mysql::SecretString::username