Store RSAKey in secret manager instead of parameter store
Closed this issue · 3 comments
Is it possible to modify some setting to store RSA private key (key pair) in Secret Manager instead of parameter store?
I always use secret manager for every other secret and would be great if I could continue doing so for private keys.
This is my sample:
Resources:
privateKey:
Type: Custom::RSAKey
Properties:
Name: !Ref rsaKeyName
KeySize: 4096
KeyFormat: PKCS8
Description: SSH key for Bastion Host EC2 instances
ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider
RefreshOnUpdate: false
keyPair:
Type: Custom::KeyPair
DependsOn: privateKey
Properties:
Name: !Ref keyPairName
PublicKeyMaterial: !GetAtt privateKey.PublicKey
ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider
Hi @diegosasw, changing the secret provider to store the secrets in the secret manager is quite a complicated change.
I could implement the ReturnSecret
property which could be combined with the native AWS::SecretsManager::Secret. Would that be ok for you ? a bit like:
privateKey:
Type: Custom::RSAKey
Properties:
Name: !Ref rsaKeyName
KeySize: 4096
KeyFormat: PKCS8
Description: SSH key for Bastion Host EC2 instances
ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-secret-provider
ReturnSecret: true
RefreshOnUpdate: false
SecretManagerPrivateKey:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Ref rsaKeyName
SecretString: !GetAtt privateKey.PrivateKeyPEM
Note that without key rotation, the Secret Manager Secret is just a very expensive Parameter Store parameter :-p
Thanks for the quick reply, you are right about the secret manager being pretty much a parameter store (which can also be encrypted) but more expensive :)
No need to change that, it works fine for my needs, thanks a lot for the great product!
Good. Note that your RSA key created by the secret provider in the parameter store is also encrypted!