Hacker News new | past | comments | ask | show | jobs | submit login

CloudFormation supports the "NoEcho" option specifically to allow password-type parameters, which are not inspectable. How is that not a secure string parameter?



I realize this response is late.

The term “parameters” is unfortunately overloaded.

CloudFormation parameters are used within CF. We were referring to parameters in Parameter Store.

https://docs.aws.amazon.com/systems-manager/latest/userguide...

But then, how do you get the secret value from CF to parameter store? If you put the value of the parameter in your template, then it is stored unencrypted in your template that is probably in source control.

For that, I use a combination of NoEcho in CF and use that user entered value as a !Ref when creating the parameter store. Run the template manually one time and then you can have it default to the existing value.

But you need a custom resource to create a secure string type.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: