AWS Lambda and Secrets Manager to bootstrap RDS Instances

Yet another post about Secrets, Lambda and CloudFormation but AWS Keeps coming with Services that previously we had to make up ourselves. Distinctively from the previous posts around this subject which was mostly about using SSM Parameter Store SecureStrings, here we are going to use Secrets Manager which saves us a lot of the work.

For all the following work, you can find all the source code and templates here: GithubRepo

Workflow

Secrets Manager Secret The new Secrets Manager and its CFN object are replacing completely the need for having a Lambda Function to generate and store the user/password to SSM Secure String. In addition to that, they come with a very handy resource policy which in our example template we are going to use in order to give access to the Lambda Function instead of having to add that to the IAM Role used by the Lambda Function (that way, we can create as many secrets as we want and not have to feed back into the role the new ARN of the secrets). Extract from example_template.yml: Resources : MasterSecret : Type : AWS::SecretsManager::Secret Properties : Description : String GenerateSecretString : ExcludeCharacters : <>%`|;,. ExcludePunctuation : true ExcludeLowercase : false ExcludeUppercase : false IncludeSpace : false RequireEachIncludedType : true PasswordLength : 32 SecretStringTemplate : '{"username": "toor"}' GenerateStringKey : password Name : !Sub : '${AWS::StackName}/MasterSecret' MasterSecretPolicy : Type : AWS::SecretsManager::ResourcePolicy Properties : SecretId : Ref : MasterSecret ResourcePolicy : Version : '2012-10-17' Statement : - Effect : Allow Action : secretsmanager:GetSecret* Resource : - !Ref MasterSecret Principal : AWS : - !GetAtt LambdaFunctionRole.RoleId