How to add/delete keys to an existing Secret in AWS SecretsManager with CloudFormation

Question

Here is my CloudFormation (CFN) template that creates the secret named MySecret in AWS SecretsManager.

Resources:
  MySecret:
    Type: "AWS::SecretsManager::Secret"
    Properties:
      Name: MyDatabaseSecret
      Description: Secret for Database Connection
      SecretString: !Sub |
        {
          "DBUserName": "",
          "DBPassword": "",
          "DBPort":""
        }

After creating this secret using this CFN template, I started updating the secret values manually.

At some point, I wanted to add another key named DBName to this same secret with empty value like "DBName": "", or, delete the key "DBPort", using the same CFN template. But, for any key modification using the CFN update, I need to provide values for the existing keys as well. Otherwise, the CFN update will overwrite the values with the empty values from the template. I'd like the CFN to get (resolve) the values of the existing keys from the Secret and update them back. Is it possible?

I prefer a CloudFormation solution. If not, then AWS CDK with Python also will help.

Answer 1

I'd like the CFN to get (resolve) the values of the existing keys from the Secret and update them back. Is it possible?

No, at least in a single deployment it is not possible and if you retrieve the secret value and assign it back, it will create a circular dependency if you reference to itself.

---

To resolve the circular dependency, you need to do a two phase deployment. First deployment, create your secret. Second deployment, grab your Secret's ARN and update your CFN template to get the Secret value.

Resources:
  MySecret:
    Type: "AWS::SecretsManager::Secret"
    Properties:
      Name: MyDatabaseSecret
      Description: Secret for Database Connection
      SecretString: !Sub |
        {
          "DBUserName": "{resolve:secretsmanager:<thisSecretArn>:SecretString:DBUserName::}}",
          "DBPassword": "{{resolve:secretsmanager:<thisSecretArn>:SecretString:DBPassword::}}",
          "DBPort": "{{resolve:secretsmanager:<thisSecretArn>:SecretString:DBPort::}}"
        }

CDK Psuedocode:

        from aws_cdk import (
            aws_secretsmanager as secrets,
            SecretValue    
        )

        secret_arn = 'secret_arn' # my_secret arn hard-coded cause can't reference to itself before creating it.

        pw = SecretValue.secrets_manager(
            secret_id=secret_arn,
            json_field='DBPassword'
        ).to_string()

        un = SecretValue.secrets_manager(
            secret_id=secret_arn,
            json_field='DBUserName'
        ).to_string()

        port = SecretValue.secrets_manager(
            secret_id=secret_arn,
            json_field='DBPort'
        ).to_string()

        dbname = SecretValue.secrets_manager(
            secret_id=secret_arn,
            json_field='DBPort'
        ).to_string()

        my_secret = secrets.Secret(
            self, "Secret",
            secret_object_value={
                "DBUserName": SecretValue.unsafe_plain_text(un),
                "DBPassword": SecretValue.unsafe_plain_text(pw),
                "DBPort": SecretValue.unsafe_plain_text(port),
                # Adding/removing works
                # "DBName": SecretValue.unsafe_plain_text(dbname),
            }
        )

You can also put the Secret ARN as a parameter and create a logic like this:

        _secret_arn = secret_arn # Stack parameter

        pw = SecretValue.secrets_manager(
            secret_id=secret_arn,
            json_field='DBPassword'
        ).to_string() if _secret_arn else ""

---

You can use GenerateSecretString to generate a random password. For keys like DBUserName or DBPort, you can use CFN Parameters with your default value. And if you want to update the value, you need update it via CFN and not manually.