Thomas Step

<- Blog

Interested in learning more about serverless AWS? Check out my Guide to Building with Serverless AWS (only pay what you want)

CloudFormation Example for an IAM User with Rotating Credentials

I had a need for an IAM User not too long ago and wanted to create a CloudFormation template instead of going through the console. I do not create IAM entities too often, so I figured that this would be a good time to cement my knowledge into a template. I wanted the user to have CLI access for some automation, which meant that I needed to also create an access key. While I was looking through the documentation for access keys I noticed an interesting field: Serial.

Serial is a field specific to CloudFormation that accepts an integer. If that integer is increased, the access key is rotated. This is a cool feature that I knew I wanted to test out.

After creating an IAM User, I wanted to create an access key for that user based on a Serial, and after that access key was created, I wanted to store the credentials in a secret. Whenever the credentials needed to be rotated, it should be as simple as incrementing the Serial and grabbing the new credentials from the secret. Here is what I came up with.

    Type: Number
    Description: Increment this to rotate credentials

    Type: AWS::IAM::User
        - arn:aws:iam::aws:policy/AdministratorAccess
    Type: AWS::IAM::AccessKey
      Serial: !Ref Serial
      Status: Active
      UserName: !Ref IamUser
    Type: AWS::SecretsManager::Secret
      Description: !Sub "These are the credentials for the IAM User ${IamUser}"
      SecretString: !Join
        - ""
        - - '{"AccessKeyId":"'
          - !Ref AccessKey
          - '","SecretAccessKey":"'
          - !GetAtt AccessKey.SecretAccessKey
          - '"}'

This template is also available in my aws-cloudformation-reference repository. I also made a video of me creating the template in case the process of building and deploying something like this from scratch is of interest.

Categories: aws | ops