I am using CloudFormation. In my YAML I define a resource of type AWS::ECS::TaskDefinition and its ContainerDefinition property. In the ContainerDefinition I have RepositoryCredentials. Its CredentialsParameter must be the ARN of a secret according to the docs.
We will have two secrets of the same symbolic name abc in the same region, one for test and one for production. These secrets are not defined in the same CloudFormation source as mine so it appears I cannot !Ref them. And because the final few characters are randomized, it is not enough to substitute the account id in the ARN string.
I could simply make the secret ARN, or the random suffix, a parameter required to create/update the CF stack, but is there some way to look up the ARN by symbolic name? Something like CredentialsParameter !ArnFor ['secret', 'abc'] perhaps?
Related
To easier follow the principal of least privilege, is there a way to generate the necessary IAM policy based on a CloudFormation template?
You can indeed use cloudformation to create policies via AWS::IAM::Policy resource.
Here is the documentation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html
I am a newbie to AWS cloudformation, any help will appreciated.
I have a use case wherein I would like to write CFN to update already existing secret string. I was able to find a CFN to create a secret string but not to update.
I see the AWS CLI has aws secretsmanager update-secret --secret-id I was looking for similar option in Cloudformation.
Use cloud formation template for create secret but instead of creating stack, update the existing stack using change set.
but do it you must know the stack name which is created before to create secrets.
may be use the same template which used earlier just change the value and update stack
I'm using a Kubernetes operator that generate original secret data. I need to use this secret in the other secret that consumed by deployment with some value mapping. I can't/won't modify Deployment to use generated secret directly. How it can be implemented?
There is few good solutions to access cluster-external secrets. May be there is custom operator/controller etc. that cat generate secret by template and values from other secret?
Details: https://github.com/kubernetes/kubernetes/issues/97062
I have pods who deployed to Kubernetes cluster (hosted with Google Cloud Kubernetes). Those pods are using some secret, which are plain text files. I added the secret to the yaml file and deployed the deployment. The application is working fine.
Now, let say that someone compromised my code and somehow get access to all my files on the container. In that case, the attacker can find the secrets directory and print all the secrets written there. It's a plain text.
Question:
Why it more secure use kubernetes-secrets instead of just a plain-text?
There are different levels of security and as #Vishal Biyani says in the comments, it sounds like you're looking for a level of security you'd get from a project like Sealed Secrets.
As you say, out of the box secrets doesn't give you encryption at the container level. But it does give controls on access through kubectl and the kubernetes APIs. For example, you could use role-based access control so that specific users could see that a secret exists without seeing (through the k8s APIs) what its value is.
In case you can create the secrets using a command instead of having it on the yaml file:
example:
kubectl create secret generic cloudsql-user-credentials --from-literal=username=[your user]--from-literal=password=[your pass]
you can also read it as
kubectl get secret cloudsql-user-credentials -o yaml
i also use the secret with 2 levels, the one is the kubernetes :
env:
- name: SECRETS_USER
valueFrom:
secretKeyRef:
name: cloudsql-user-credentials
key: username
the SECRETS_USER is a env var, which i use this value on jasypt
spring:
datasource:
password: ENC(${SECRETS_USER})
on the app start up you use the param : -Djasypt.encryptor.password=encryptKeyCode
/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="encryptKeyCode" password=[pass user] algorithm=PBEWithMD5AndDES
I want to create a role with specified arn by cloudformation in aws. But I don't know how to do it. Because we can't specify a name for the role in the template file.
Assuming you are referring to an IAM role, this is not possible using CloudFormation. CloudFormation will automatically generate a name for your role based on the stack name and the logical resource ID. For example, arn:aws:iam::112233445566:role/myStackName-myRoleName-XXXXXXXXXXXXX.