CloudFormation Example for an IAM User with Rotating Credentials

Serial is a field specific to CloudFormation that accepts an integer. If that integer is increased, the access key is rotated. This is a cool feature that I knew I wanted to test out.

Thomas Step

by Thomas Step

Oct 06, 2021

0

I had a need for an IAM User not too long ago and wanted to create a
CloudFormation template instead of going through the console. I do not create IAM entities too often, so I figured that this would be a good time to cement my knowledge into a template. I wanted the user to have CLI access for some automation, which meant that I needed to also create an access key. While I was looking through the documentation for access keys I noticed an interesting field: `Serial`.

`Serial` is a field specific to CloudFormation that accepts an integer. If that integer is increased, the access key is rotated. This is a cool feature that I knew I wanted to test out.

After creating an IAM User, I wanted to create an access key for that user
based on a `Serial`, and after that access key was created, I wanted to store the credentials in a secret. Whenever the credentials needed to be rotated, it should be as simple as incrementing the `Serial` and grabbing the new credentials from the secret. Here is what I came up with.

yaml

Parameters:
Serial:
Type: Number
Description: Increment this to rotate credentials
Resources:
IamUser:
Type: AWS::IAM::User
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
AccessKey:
Type: AWS::IAM::AccessKey
Properties:
Serial: !Ref Serial
Status: Active
UserName: !Ref IamUser
AccessKeySecret:
Type: AWS::SecretsManager::Secret
Properties:
Description: !Sub "These are the credentials for the IAM User ${IamUser}"
SecretString: !Join
- ""
- - '{"AccessKeyId":"'
- !Ref AccessKey
- '","SecretAccessKey":"'
- !GetAtt AccessKey.SecretAccessKey
- '"}'

This template is also available in my aws-cloudformation-reference
repository
.
I also made a video of me creating the template in case the process of building and deploying something like this from scratch is of interest.

Cover photo by Mae Mu

    img

    Join the beta waitlist

    Enter your email to get notified when our product becomes available to try.

    Sign Up for the community

    Create your member profile to get involved with our content, programs, and events.