On Oct 06, 2021

CloudFormation Example for an IAM User with Rotating Credentials

Thomas Step
Thomas Step

Serial is a field specific to CloudFormation that accepts an integer. If that integer is increased, the access key is rotated. This is a cool feature that I knew I wanted to test out.

I had a need for an IAM User not too long ago and wanted to create a CloudFormation template instead of going through the console. I do not create IAM entities too often, so I figured that this would be a good time to cement my knowledge into a template. I wanted the user to have CLI access for some automation, which meant that I needed to also create an access key. While I was looking through the documentation for access keys I noticed an interesting field: Serial.

Serial is a field specific to CloudFormation that accepts an integer. If that integer is increased, the access key is rotated. This is a cool feature that I knew I wanted to test out.

After creating an IAM User, I wanted to create an access key for that user based on a Serial, and after that access key was created, I wanted to store the credentials in a secret. Whenever the credentials needed to be rotated, it should be as simple as incrementing the Serial and grabbing the new credentials from the secret. Here is what I came up with.

Parameters:
  Serial:
    Type: Number
    Description: Increment this to rotate credentials
Resources:
  IamUser:
    Type: AWS::IAM::User
    Properties: 
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/AdministratorAccess
  AccessKey:
    Type: AWS::IAM::AccessKey
    Properties: 
      Serial: !Ref Serial
      Status: Active
      UserName: !Ref IamUser
  AccessKeySecret:
    Type: AWS::SecretsManager::Secret
    Properties: 
      Description: !Sub "These are the credentials for the IAM User ${IamUser}"
      SecretString: !Join
        - ""
        - - '{"AccessKeyId":"'
          - !Ref AccessKey
          - '","SecretAccessKey":"'
          - !GetAtt AccessKey.SecretAccessKey
          - '"}'

This template is also available in my aws-cloudformation-reference repository. I also made a video of me creating the template in case the process of building and deploying something like this from scratch is of interest.

Cover photo by Mae Mu

No members commented this content.

    Get the IAM Pulse Check Newsletter

    We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.

    Checkout past issues for a sampling of the goods.