Cloudreach Blog

Catch the latest stuff

Secret Store Lambda for CloudFormation templates

Giulio Calzolari 2nd November 2017
Secret Store Lambda Cloudreach

One topic very important in the AWS ecosystem is how to share secrets and parameters between applications.

Popular tools such as Vault and Consul are oriented towards large enterprises with multiple levels of security. There are also other proprietary KMS systems which often require connectivity back to on premise locations.

Another alternative may be a solution designed to run on the AWS platform, but such systems often have limitations. Credstash for example does not offer permission level per secret based. Solutions are often chosen based on the InfoSec policy & potential compliance requirements.

A solution for sharing

Inspired by Chris Barclay’s article on Managing Secrets for Amazon ECS Applications Using Parameter Store and IAM Roles for Tasks, I designed a solution fully integrated with CloudFormation using Lambda-backed custom resources and SSM Parameter Store. Such a solution is cloud native and builds on top of services with adequate SLA’s in place. The goal is to form a simple yet secure and effective solution for sharing secrets between deployments.

Secret Store Lambda for CloudFormation templates

When a CloudFormation template invokes AWS Lambda Secretstore, the function is executed with a dedicated IAM role, retrieved from EC2 Parameter Store and the secret decrypted using KMS. The execution of Lambda returns back to CloudFormation the value from the Parameter Store which makes it possible to access it using the function GetAtt reading the parameter “Value” and “Arn”.

You can see a full example in the file resources/example-read.yaml.

Why I used these AWS services

Lambda backed custom resources – provides cost efficiency with the use of all Lambda benefits and privileges segregated through IAM.

SSM Parameter Store – as SSM is fully integrated between all instances OS, it does not require any additional configuration. It also enables encryption of your secrets using KMS and allows you to control permission access using IAM.

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

Getting Started

How To install

1. Clone your repository

$ git clone
$ cd aws-cfn-secretstore/

2. Editing the file serverless.yml, you can deploy your function in AWS using Serverless Framework

$ sls deploy

Serverless: Packaging service...

Serverless: Excluding development dependencies...

Serverless: Uploading CloudFormation file to S3...

Serverless: Uploading artifacts...

Serverless: Uploading service .zip file to S3 (62.37 KB)...

Serverless: Validating template...

Serverless: Creating Stack...

Serverless: Checking Stack create progress...


Serverless: Stack create finished...

Service Information

service: cfn-tools

stage: prod

region: eu-west-1

stack: cfn-tools-prod

api keys:





  secretstore: cfn-tools-prod-secretstore

and immediately test your deployment using:

$ aws cloudformation create-stack --stack-name example-read-secretstore  --template-body file://resources/example-read.yaml

Note that neither CloudFormation, Lambda or Parameter Store are global resources, so you will have to deploy the helper stack into each region.

How to quickly manage your secret using CLI

In order to simply manage your secret, you can use ssm AWS CLI or a dedicated helper such as ec2stash to read/write and delete.

External resources

Github repository []