Declaring an IAM Access Key Resource by CloudFormation

Z

2

14

I created a user in my template with an access key:

"MyAccessKey" : {
   "Type" : "AWS::IAM::AccessKey",
   "Properties" : {
      "UserName" : { "Ref" : "User12" }
   }
}

I need to get the access key ID and the secret key in the output of the template. How to do that ? Thank you

Zeidman answered 29/11, 2016 at 12:16 Comment(0)

M

14

The access key id and the secret key are available as return values for the AWS::IAM::AccessKey resource:

"Outputs" : {
  "MyAccessKeyId": {
    "Ref" : "MyAccessKey"
  },
  "MySecretKey": {
    "Fn::GetAtt": [ "MyAccessKey", "SecretAccessKey" ]
  }
}

Manaker answered 29/11, 2016 at 13:12 Comment(6)

Unfortunately it seems that there's no way to hide this from the logs once you have got the key. It would be nice if they had an output flag that said that it was just a temporary output that you wanted to disappear afterwards – Parra 2/9, 2017 at 15:36

If you want to hide this from logs you can create a custom resource and encrypt the key using KMS docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/… – Sherysherye 17/8, 2018 at 16:3

Or, instead of exposing the values via Outputs, you could put the values to a AWS::SecretsManager::Secret. – Washerman 13/9, 2019 at 19:34

How do you do that @RHBecker, is there any good example or doc on doing so? Ta PS: found this binx.io/blog/2017/09/22/… – Alopecia 22/4, 2021 at 11:10

@Alopecia I posted a new answer to exhibit how I've used the AWS::SecretsManager::Secret to this end. – Washerman 23/4, 2021 at 18:9

It's really annoying that they seem to face you into using their Secrets namaging service. I just need a one-time access to this information, plugin it in the secret manager of my CI/CD tool and that's it. – Subreption 3/10, 2021 at 21:46

W

28

CloudFormation's Outputs documentation states ...

CloudFormation doesn't redact or obfuscate any information you include in the Outputs section. We strongly recommend you don't use this section to output sensitive information, such as passwords or secrets.

A safer option is to create an AWS::SecretsManager::Secret resource that contains the user's access and secret keys.

Here's an example of a template for creating "bot" users that leverages this approach ...

---
AWSTemplateFormatVersion: 2010-09-09
Description: example bot user

Resources:

  Bot:
    Type: AWS::IAM::User
    Properties:
      Path: /bot/
      UserName: !Ref AWS::StackName

  BotCredentials:
    Type: AWS::IAM::AccessKey
    Properties:
      Status: Active
      UserName: !Ref Bot

  BotCredentialsStored:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub /bot/credentials/${Bot}
      SecretString: !Sub '{"ACCESS_KEY":"${BotCredentials}","SECRET_KEY":"${BotCredentials.SecretAccessKey}"}'

Washerman answered 23/4, 2021 at 18:7 Comment(2)

How is a user supposed to then get the secret key from the Secrets Manager? – Burgener 17/6, 2022 at 14:4

@MrPablo If the user has sufficient IAM privileges, the value can be retrieved via the Secrets service console, or via CLI, using the get-secret-value command. – Washerman 17/2, 2023 at 22:7

M

14