Create Amazon Secrets Manager secrets in Amazon CloudFormation - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create Amazon Secrets Manager secrets in Amazon CloudFormation

You can create secrets in a CloudFormation stack by using the AWS::SecretsManager::Secret resource in a CloudFormation template, as shown in Create a secret.

To create an admin secret for Amazon RDS or Aurora, we recommend you use ManageMasterUserPassword in AWS::RDS::DBCluster. Then Amazon RDS creates the secret and manages rotation for you. For more information, see Managed rotation.

For Amazon Redshift and Amazon DocumentDB credentials, first create a secret with a password generated by Secrets Manager, and then use a dynamic reference to retrieve the username and password from the secret to use as credentials for a new database. Next, use the AWS::SecretsManager::SecretTargetAttachment resource to add details about the database to the secret that Secrets Manager needs to rotate the secret. Finally, to turn on automatic rotation, use the AWS::SecretsManager::RotationSchedule resource and provide a rotation function and a schedule. See the following examples:

To attach a resource policy to your secret, use the AWS::SecretsManager::ResourcePolicy resource.

For information about creating resources with Amazon CloudFormation, see Learn template basics in the Amazon CloudFormation User Guide. You can also use the Amazon Cloud Development Kit (Amazon CDK). For more information, see Amazon Secrets Manager Construct Library.

How Secrets Manager uses Amazon CloudFormation

When you use the console to turn on rotation, Secrets Manager uses Amazon CloudFormation to create resources for rotation. If you create a new rotation function during that process, Amazon CloudFormation creates an AWS::Serverless::Function based on the appropriate Rotation function templates. Then Amazon CloudFormation sets the RotationSchedule, which sets the rotation function and rotation rules for the secret. You can view the Amazon CloudFormation stack by choosing View stack in the banner after you turn on automatic rotation.

For information about turning on automatic rotation, see Rotate Amazon Secrets Manager secrets.