Rowan Udell

Managing Secure String Parameters in CloudFormation

rowan -

This was a nifty little trick I just learnt from my colleague James the other day that is definitely worth sharing more widely. While CloudFormation does not support SecureStrings for AWS::SSM::Parameters resources, you can can fudge it with this one weird trick; but first the "why"!

12 Factor

I'm a big fan of the The Twelve-Factor App, and in particular I think the approach it outlines for configuration management is especially important in the cloud, regardless of the type of application (e.g. server, container, or serverless) you're working with:

III. Config
Store config in the environment

Parameter Store

In AWS one way to store you config in a way that's easy to retrieve by your application is with Systems Manager Parameter Store. Parameter Store is able to store data in a hierarchical format, and has support for multiple ways to store strings: String, String List, and Secure String.

Unfortunately, the support for Secure Strings is not great; you can't use it as a CloudFormation input parameter like you can Strings and String Lists, and you can't create Secure String resources via CloudFormation.

One Weird Trick

What you can do however, is create a String parameter, override it with a SecureString, and have CloudFormation manage the lifecycle of the resource (i.e. delete it when the stack is deleted, etc).

Here's an example for those following along a home...

Template

The following template creates a String parameter that will be managed by CloudFormation:

---
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation managed SecureString Parameters

Parameters:
  ParameterValue:
    Type: String

Resources:
  Parameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /my/secure/string
      Type: String
      Value: !Ref ParameterValue

Update the Parameter

Once you've created the CloudFormation stack with your usual preferred method, update the parameter - overriding it - with your SecureString value:

aws ssm put-parameter \
  --overwrite \
  --name /my/secure/string \
  --type SecureString \
  --value 'SuperSecret'

Now you have a SecureString parameter that is managed by CloudFormation!

The only property on a AWS::SSM::Parameter resource that requires replacement is Name, which means that updates won't reset or change the parameter - you'll only create a new parameter. Deleting the stack will delete the parameter resource as normal.