Get an Amazon Secrets Manager secret in an Amazon CloudFormation resource - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Get an Amazon Secrets Manager secret in an Amazon CloudFormation resource

With Amazon CloudFormation, you can retrieve a secret to use in another Amazon CloudFormation resource. A common scenario is to first create a secret with a password generated by Secrets Manager, and then retrieve the username and password from the secret to use as credentials for a new database. For information about creating secrets with Amazon CloudFormation, see Create Amazon Secrets Manager secrets in Amazon CloudFormation.

To retrieve a secret in a Amazon CloudFormation template, you use a dynamic reference. When you create the stack, the dynamic reference pulls the secret value into the Amazon CloudFormation resource, so you don't have to hardcode the secret information. Instead, you refer to the secret by name or ARN. You can use a dynamic reference for a secret in any resource property. You can't use a dynamic reference for a secret in resource metadata such as AWS::CloudFormation::Init because that would make the secret value visible in the console.

A dynamic reference for a secret has the following pattern:

{{resolve:secretsmanager:secret-id:SecretString:json-key:version-stage:version-id}}
secret-id

The name or ARN of the secret. To access a secret in your Amazon account, you can use the secret name. To access a secret in a different Amazon account, use the ARN of the secret.

json-key (Optional)

The key name of the key-value pair whose value you want to retrieve. If you don't specify a json-key, Amazon CloudFormation retrieves the entire secret text. This segment may not include the colon character ( :).

version-stage (Optional)

The version of the secret to use. Secrets Manager uses staging labels to keep track of different versions during the rotation process. If you use version-stage then don't specify version-id. If you don't specify either version-stage or version-id, then the default is the AWSCURRENT version. This segment may not include the colon character ( :).

version-id (Optional)

The unique identifier of the version of the secret to use. If you specify version-id, then don't specify version-stage. If you don't specify either version-stage or version-id, then the default is the AWSCURRENT version. This segment may not include the colon character ( :).

For more information, see Using dynamic references to specify Secrets Manager secrets.

Note

Do not create a dynamic reference using a backslash (\) as the final value. Amazon CloudFormation can't resolve those references, which causes a resource failure.