在AWS Cloudformation中指定Secret Manager值的动态引用 [英] Dynamic References to Specify Secret Manager Values in AWS Cloudformation
问题描述
无论如何,我们可以通过动态引用到AWS的秘密管理器启动配置用户数据?
Is there anyway we can pass dynamic references to Secret Manager to AWS Launch Config User Data?
这是我尝试过的代码段:
Here is the code snippet I tried:
"SampleLaunchConfig": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSRegionArch2AMI",
{
"Ref": "AWS::Region"
},
"AMI"
]
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash -xe\n",
"yum update -y\n",
"useradd -p <<pwd>>{{resolve:secretsmanager:Credentials:SecretString:userName}}\n",
"\n"
]
]
}
}
}
}
似乎在获取useradd时出错:无效的用户名'{{resolve:secretsmanager:Credentials:SecretString:userName}}'
Seems error in getting the useradd: invalid user name '{{resolve:secretsmanager:Credentials:SecretString:userName}}'
如何通过Secret Manager云形成用户数据的秘密价值?
How can I pass Secret Manager secret value to cloudformation user data ?
推荐答案
似乎 {{resolve:...}}
动态引用仅在模板中的特定上下文中扩展。
It seems that {{resolve:...}}
dynamic references are only expanded in certain contexts within a template.
AWS文档中没有关于模板可以在何处使用的确切信息。关于 {{resolve:secretsmanager:...}}
的当前措辞说:
There is no precise information in the AWS docs about exactly where in a template you can use these references. The current wording with regard to {{resolve:secretsmanager:...}}
says:
可以在所有资源属性中使用secretsmanager动态引用
"The secretsmanager dynamic reference can be used in all resource properties"
但是,这与您的示例矛盾,我我还观察到动态引用未能在CloudFormation :: Init数据内部解析。
However this is contradicted by your example, and I've also observed dynamic references failing to resolve inside of CloudFormation::Init data.
我对此有一个活跃的AWS支持案例,他们同意该行为动态引用的文档不足。当我了解更多信息时,我将更新此答案。
I have an active Support case open with AWS about this, they have agreed that the behaviour of dynamic references is inadequately documented. I'll update this answer as I learn more.
这篇关于在AWS Cloudformation中指定Secret Manager值的动态引用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!