使用CloudFormation读取机密 [英] Reading a secret using CloudFormation

问题描述

我正在尝试在CloudFormation中创建一个在JSON中具有秘密的AWS堆栈。

I am trying to create an AWS stack in CloudFormation having a secret in the JSON.

我不希望在参数中显示秘密的值，并且我不希望我的实例（代理或ec2）访问机密管理器。我希望CloudFormation从机密管理器中检索值并将其在运行时注入模板中。

I don't want the value of the secret displayed in the parameters and I don't want my instance (fargate or ec2) to access the secrets manager. I want CloudFormation to retrieve the value from the secrets manager and inject it in the template during runtime.

这就是我所做的：

1. 创建秘密

1. Create a secret

使用Designer创建模板

Create a template using Designer

读取机密并创建资源。在这种情况下，我将创建一个具有秘密标记的存储桶。我知道这是不安全的，但是存储桶仅用作概念证明。

Read the secret and create a resource. In this case I am creating a bucket that has as a tag the secret. I know this is not secure, but the bucket is being used just as a proof of concept.

验证存储桶中是否包含带有机密的标签

Validate that the bucket contains a tag with the secret

这是我的模板：

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "create a single S3 bucket",
    "Resources": {
        "SampleBucket": {
            "Type": "AWS::S3::Bucket",
            "Properties": {
                "BucketName": "asantostestbucket",
                "Tags" : [
                    {
                        "Key" : "keyname",
                        "Value" : "{{resolve:secretsmanager:dev/learning:SecretString:hello}}"
                    }
            ]
            }
        }
    }
}

哪个给我错误一个或多个标签无效。

我该如何指示到CloudForma我希望它读取机密，而不是尝试将标签读取为文本？换句话说，将 {{resolve：secretsmanager：dev / learning：SecretString：hello}}替换为该值，而不是将其读取为文本。

How can I indicate to CloudFormation that I want it to read the secret, instead of trying to read the tag as text? In other words, replace "{{resolve:secretsmanager:dev/learning:SecretString:hello}}" with the value, instead of reading it as a text.

推荐答案

为重现这种情况，我做了以下操作：

To reproduce this situation, I did the following:

• 在秘密管理器中，创建了一个新的秘密
  
  
  
  
  • 其他类型的秘密
  
  
  • 密钥：你好
  
  
  • 值：惊喜
  
  
  • 秘密名称： dev / learning
  
  
  • In the Secrets Manager, created a new secret
    • "Other type of secrets"
    • Key: hello
    • Value: surprise
    • Secret name: dev/learning

    这是输出：

    aws secretsmanager get-secret-value --secret-id dev/learning
    {
        "ARN": "arn:aws:secretsmanager:ap-southeast-2:123456789012:secret:dev/learning-kCxSK3",
        "Name": "dev/learning",
        "VersionId": "...",
        "SecretString": "{\"hello\":\"surprise\"}",
        "VersionStages": [
            "AWSCURRENT"
        ],
        "CreatedDate": 1560925072.106
    }
    

    
    
    

    
    
    • 启动CloudFormation模板您在上方提供（但使用不同的存储桶名称）
    
    

    结果：我收到了消息一个或多个标签无效

    因此，我得到的结果与您相同。

    So, I got the same result as you did.

    然后我尝试使用秘密创建其他类型的资源：

    I then tried creating a different type of resource using the secret:

    {
        "AWSTemplateFormatVersion": "2010-09-09",
        "Resources": {
            "SecurityGroup": {
                "Type": "AWS::EC2::SecurityGroup",
                "Properties": {
                    "GroupDescription": "{{resolve:secretsmanager:dev/learning:SecretString:hello}}"
                }
            }
        }
    }
    

    工作成功：

    aws ec2 describe-security-groups --group-id sg-03cfd71f4539a4b7e
    {
        "SecurityGroups": [
            {
                "Description": "surprise",
                ...
    

    因此，似乎 {{resolve}} 的行为正确，但是由于某些原因，S3 Tag不喜欢它。

    So, it seems that the {{resolve}} is behaving correctly, but for some reason the S3 Tag doesn't like it.

    底线：可能，但不建议。

    这篇关于使用CloudFormation读取机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！