search

binxio / cfn-secret-provider

A CloudFormation custom resource provider for deploying secrets and keys
Apache License 2.0
141 stars 70 forks source link

Store RSAKey in secret manager instead of parameter store #47

Closed diegosasw closed 3 years ago

diegosasw commented 3 years ago

Is it possible to modify some setting to store RSA private key (key pair) in Secret Manager instead of parameter store? I always use secret manager for every other secret and would be great if I could continue doing so for private keys. This is my sample:

Resources:
  privateKey:
    Type: Custom::RSAKey
    Properties:
      Name: !Ref rsaKeyName
      KeySize: 4096
      KeyFormat: PKCS8
      Description: SSH key for Bastion Host EC2 instances
      ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider
      RefreshOnUpdate: false
  keyPair:
    Type: Custom::KeyPair
    DependsOn: privateKey
    Properties:
      Name: !Ref keyPairName
      PublicKeyMaterial: !GetAtt privateKey.PublicKey
      ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider
mvanholsteijn commented 3 years ago

Hi @diegosasw, changing the secret provider to store the secrets in the secret manager is quite a complicated change.

I could implement the ReturnSecret property which could be combined with the native AWS::SecretsManager::Secret. Would that be ok for you ? a bit like:

  privateKey:
    Type: Custom::RSAKey
    Properties:
      Name: !Ref rsaKeyName
      KeySize: 4096
      KeyFormat: PKCS8
      Description: SSH key for Bastion Host EC2 instances
      ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider
      ReturnSecret: true
      RefreshOnUpdate: false

  SecretManagerPrivateKey:
     Type: AWS::SecretsManager::Secret
     Properties:
       Name: !Ref rsaKeyName
       SecretString: !GetAtt privateKey.PrivateKeyPEM

Note that without key rotation, the Secret Manager Secret is just a very expensive Parameter Store parameter :-p

diegosasw commented 3 years ago

Thanks for the quick reply, you are right about the secret manager being pretty much a parameter store (which can also be encrypted) but more expensive :) No need to change that, it works fine for my needs, thanks a lot for the great product!

mvanholsteijn commented 3 years ago

Good. Note that your RSA key created by the secret provider in the parameter store is also encrypted!