使用CloudFormation读取机密 [英] Reading a secret using CloudFormation
问题描述
我正在尝试在CloudFormation中创建一个在JSON中具有秘密的AWS堆栈。
I am trying to create an AWS stack in CloudFormation having a secret in the JSON.
我不希望在参数中显示秘密的值,并且我不希望我的实例(代理或ec2)访问机密管理器。我希望CloudFormation从机密管理器中检索值并将其在运行时注入模板中。
I don't want the value of the secret displayed in the parameters and I don't want my instance (fargate or ec2) to access the secrets manager. I want CloudFormation to retrieve the value from the secrets manager and inject it in the template during runtime.
这就是我所做的:
-
创建秘密
Create a secret
使用Designer创建模板
Create a template using Designer
读取机密并创建资源。在这种情况下,我将创建一个具有秘密标记的存储桶。我知道这是不安全的,但是存储桶仅用作概念证明。
Read the secret and create a resource. In this case I am creating a bucket that has as a tag the secret. I know this is not secure, but the bucket is being used just as a proof of concept.
验证存储桶中是否包含带有机密的标签
Validate that the bucket contains a tag with the secret
这是我的模板:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "create a single S3 bucket",
"Resources": {
"SampleBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "asantostestbucket",
"Tags" : [
{
"Key" : "keyname",
"Value" : "{{resolve:secretsmanager:dev/learning:SecretString:hello}}"
}
]
}
}
}
}
哪个给我错误一个或多个标签无效。
我该如何指示到CloudForma我希望它读取机密,而不是尝试将标签读取为文本?换句话说,将 {{resolve:secretsmanager:dev / learning:SecretString:hello}}替换为该值,而不是将其读取为文本。
How can I indicate to CloudFormation that I want it to read the secret, instead of trying to read the tag as text? In other words, replace "{{resolve:secretsmanager:dev/learning:SecretString:hello}}" with the value, instead of reading it as a text.
推荐答案
为重现这种情况,我做了以下操作:
To reproduce this situation, I did the following:
- 在秘密管理器中,创建了一个新的秘密
- 其他类型的秘密
- 密钥:
你好
- 值:
惊喜
- 秘密名称:
dev / learning
- In the Secrets Manager, created a new secret
- "Other type of secrets"
- Key:
hello
- Value:
surprise
- Secret name:
dev/learning
这是输出:
aws secretsmanager get-secret-value --secret-id dev/learning { "ARN": "arn:aws:secretsmanager:ap-southeast-2:123456789012:secret:dev/learning-kCxSK3", "Name": "dev/learning", "VersionId": "...", "SecretString": "{\"hello\":\"surprise\"}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": 1560925072.106 }
- 启动CloudFormation模板您在上方提供(但使用不同的存储桶名称)
结果:我收到了消息
一个或多个标签无效
因此,我得到的结果与您相同。
So, I got the same result as you did.
然后我尝试使用秘密创建其他类型的资源:
I then tried creating a different type of resource using the secret:
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "SecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "{{resolve:secretsmanager:dev/learning:SecretString:hello}}" } } } }
工作成功:
aws ec2 describe-security-groups --group-id sg-03cfd71f4539a4b7e { "SecurityGroups": [ { "Description": "surprise", ...
因此,似乎
{{resolve}}
的行为正确,但是由于某些原因,S3 Tag不喜欢它。So, it seems that the
{{resolve}}
is behaving correctly, but for some reason the S3 Tag doesn't like it.底线:可能,但不建议。
这篇关于使用CloudFormation读取机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!