A CloudFormation template is being used to deploy an RDS instance.
AWS Secrets Manager is being used for the management of database credentials.
How can the CloudFormation template reference the database credentials?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because the CloudFormation Dynamic References pattern needs to be used.The dynamic reference pattern is '{{resolve:service-name:reference-key}}'.“secretsmanager” dynamic reference pattern is used for accessing specific secret values stored in Secrets Manager.
Option B is incorrect because the ssm-secure dynamic reference pattern is used for accessing secure strings stored in Systems Manager Parameter Store (not Secrets Manager).
Option C is incorrect because Ref is a CloudFormation intrinsic function used to reference a parameter.
Option D is incorrect because this is not the correct use case for mappings.
The mappings section of the CloudFormation templates is used to match a key to a value.
Reference:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanagerSure, I'd be happy to help!
The correct answer is A:
json{ "MyRDSInstance": { "Type": "AWS::RDS::DBInstance", "Properties": { "DBName": "MyRDSInstance", "AllocatedStorage": "20", "DBInstanceClass": "db.t2.micro", "Engine": "mysql", "MasterUsername": "{{resolve:secretsmanager:MyRDSSecret:SecretString:username}}", "MasterUserPassword": "{{resolve:secretsmanager:MyRDSSecret:SecretString:password}}" } } }
Here's why:
When creating an RDS instance with a CloudFormation template, it's a best practice to use AWS Secrets Manager to manage database credentials. This allows you to keep your credentials separate from your CloudFormation stack, making it easier to manage and rotate credentials when needed.
In this example, the CloudFormation template is using the resolve
function to retrieve the username and password from AWS Secrets Manager. Specifically, it's using the resolve:secretsmanager
function, which tells CloudFormation to retrieve the secret value from AWS Secrets Manager.
The MyRDSSecret
value in the function is the name of the secret in AWS Secrets Manager. The SecretString
value is telling CloudFormation to retrieve the username and password as a JSON string. Finally, the username
and password
values are the specific properties in the JSON string that contain the actual username and password.
So, the CloudFormation template is using the resolve
function to retrieve the database credentials from AWS Secrets Manager and then passing them to the RDS instance properties as MasterUsername
and MasterUserPassword
.
Option B is incorrect because it's using the ssm-secure
function, which is not the correct function for retrieving secrets from AWS Secrets Manager. Instead, it's used for retrieving secure parameters from AWS Systems Manager Parameter Store.
Option C is incorrect because it's using the Ref
function, which is used for referencing a CloudFormation resource by its logical ID. It's not used for retrieving values from AWS Secrets Manager.
Option D is incorrect because it's using a Mappings
section to define the secret ARNs, which is not necessary. Also, the syntax for referencing the secret values in the RDS instance properties is incorrect.