=> Search
The AWS::SecretsManager::SecretTargetAttachment resource completes the final link between a Secrets Manager secret and the associated database. This is required because each has a dependency on the other. No matter which one you create first, the other doesn't exist yet. To resolve this, you must create the resources in the following order:
=> AWS::SecretsManager::RotationSchedule
To declare this entity in your AWS CloudFormation template, use the following syntax:
{
"Type" : "AWS::SecretsManager::SecretTargetAttachment",
"Properties" : {
"SecretId" : String,
"TargetId" : String,
"TargetType" : String
}
}Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: String TargetId: String TargetType: String
The Amazon Resource Name (ARN) or the friendly name of the secret that contains the credentials that you want to use with the specified service or database. To reference a secret also created in this template, use the see Ref function with the secret's logical ID. *Required*: Yes *Type*: String *Update requires*: No interruption => https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html Ref => https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt No interruption
The ARN of the service or database credentials stored in the specified secret.
20
2048
A string that defines the type of service or database associated with the secret. This value instructs AWS Secrets Manager how to update the secret with the details of the service or database. This value must be one of the following: * AWS::RDS::DBInstance * AWS::RDS::DBCluster * AWS::Redshift::Cluster * AWS::DocDB::DBInstance * AWS::DocDB::DBClusterRequired: YesType: StringUpdate requires: No interruption => https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt No interruption ## Return values ### Ref When you pass the logical ID of an `AWS::SecretsManager::SecretTargetAttachement` resource to the intrinsic `Ref` function, the function returns the ARN of the secret, such as:
This enables you to reference a secret you created in one part of the stack template from within the definition of another resource from a different part of the same template.
For more information about using the Ref function, see Ref.
=> Ref
The following examples create a secret, and then creates an AWS resource as defined by the TargetType by using the credentials found in the secret for the new AWS resource master user and password. Finally, the code updates the secret with the connection details of the AWS resource by defining the SecretTargetAttachment object.
The JSON specification doesn't allow any kind of comments. See the YAML examples for comments.
This example template creates a RDS database and secret.
JSON
{
"MyRDSSecret": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "This is a Secrets Manager secret for an RDS DB instance",
"GenerateSecretString": {
"SecretStringTemplate": "{\"username\": \"admin\"}",
"GenerateStringKey": "password",
"PasswordLength": 16,
"ExcludeCharacters": "\"@/\\"
}
}
},
"MyRDSInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"AllocatedStorage": "’20’",
"DBInstanceClass": "db.t2.micro",
"Engine": "mysql",
"MasterUsername": {"Fn::Join": ["", ["{{resolve:secretsmanager:",{"Ref": "MyRDSSecret"},":SecretString:username}}"] ] },
"MasterUserPassword": {"Fn::Join": ["", ["{{resolve:secretsmanager:",{"Ref": "MyRDSSecret"},":SecretString:password}}"] ] },
"BackupRetentionPeriod": 0,
"DBInstanceIdentifier": "rotation-instance"
}
},
"SecretRDSInstanceAttachment": {
"Type": "AWS::SecretsManager::SecretTargetAttachment",
"Properties": {
"SecretId": {"Ref": "MyRDSSecret"},
"TargetId": {"Ref": "MyRDSInstance"},
"TargetType": "AWS::RDS::DBInstance"
}
}
}YAML
#This is a Secret resource with a randomly generated password in its SecretString JSON.
MyRDSSecret:
Type: "AWS::SecretsManager::Secret"
Properties:
Description: "This is a Secrets Manager secret for an RDS DB instance"
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: "password"
PasswordLength: 16
ExcludeCharacters: '"@/\'
# This is an RDS instance resource. The master username and password use dynamic references
# to resolve values from Secrets Manager. The dynamic reference guarantees that CloudFormation
# will not log or persist the resolved value. We use a Ref to the secret resource's logical id
# to construct the dynamic reference, since the secret name is generated by CloudFormation.
MyRDSInstance:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: 20
DBInstanceClass: db.t2.micro
Engine: mysql
MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref MyRDSSecret, ':SecretString:username}}' ]]
MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref MyRDSSecret, ':SecretString:password}}' ]]
BackupRetentionPeriod: 0
DBInstanceIdentifier: 'rotation-instance'
#This is a SecretTargetAttachment resource which updates the referenced Secret resource with properties about
#the referenced RDS instance
SecretRDSInstanceAttachment:
Type: "AWS::SecretsManager::SecretTargetAttachment"
Properties:
SecretId: !Ref MyRDSSecret
TargetId: !Ref MyRDSInstance
TargetType: AWS::RDS::DBInstanceThis example template creates a Redshift Cluster database and secret.
JSON
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyRedshiftSecret": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "This is a Secrets Manager secret for a Redshift cluster",
"GenerateSecretString": {
"SecretStringTemplate": "{\"username\": \"admin\"}",
"GenerateStringKey": "password",
"PasswordLength": 16,
"ExcludeCharacters": "\"'@/\\"
}
}
},
"MyRedshiftCluster": {
"Type": "AWS::Redshift::Cluster",
"Properties": {
"DBName": "myjsondb",
"MasterUsername": {"Fn::Sub": "{{resolve:secretsmanager:${MyRedshiftSecret}::username}}"},
"MasterUserPassword": {"Fn::Sub": "{{resolve:secretsmanager:${MyRedshiftSecret}::password}}"},
"NodeType": "ds2.xlarge",
"ClusterType": "single-node"
}
},
"SecretRedshiftAttachment": {
"Type": "AWS::SecretsManager::SecretTargetAttachment",
"Properties": {
"SecretId": {"Ref": "MyRedshiftSecret"},
"TargetId": {"Ref": "MyRedshiftCluster"},
"TargetType": "AWS::Redshift::Cluster"
}
}
}
}YAML
AWSTemplateFormatVersion: 2010-09-09
Description: "This is an example template to demonstrate CloudFormation resources for Secrets Manager.
Resources:
#This is a Secret resource with a randomly generated password in its SecretString JSON.
MyRedshiftSecret:
Type: "AWS::SecretsManager::Secret"
Properties:
Description: "This is a Secrets Manager secret for an Redshift cluster"
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: "password"
PasswordLength: 16
ExcludeCharacters: "\"@'/\\"
# This is a Redshift cluster resource. The master username and password use dynamic references
# to resolve values from Secrets Manager. The dynamic reference guarantees that CloudFormation
# will not log or persist the resolved value. We use a Ref to the secret resource's logical id
# to construct the dynamic reference, since the secret name is generated by CloudFormation.
MyRedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
DBName: "myyamldb"
MasterUsername: !Sub '{{resolve:secretsmanager:${MyRedshiftSecret}::username}}'
MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyRedshiftSecret}::password}}'
NodeType: "ds2.xlarge"
ClusterType: "single-node"
# This is a SecretTargetAttachment resource which updates the referenced Secret resource with properties about
# the referenced Redshift cluster
SecretRedshiftAttachment:
Type: "AWS::SecretsManager::SecretTargetAttachment"
Properties:
SecretId: !Ref MyRedshiftSecret
TargetId: !Ref MyRedshiftCluster
TargetType: AWS::Redshift::Cluster=> AWS::SecretsManager::Secret | AWS::SecretsManager::RotationSchedule | AWS::SecretsManager::ResourcePolicy This content has been proxied by September (3851b).Proxy Information
text/gemini; charset=utf-8