如何使用aws-cdk从AWS Secrets Manager导入EKS机密? [英] How to import EKS secrets from AWS Secrets Manager using aws-cdk?
问题描述
我有:
- 由aws-cdk脚本部署的
- EKS(已启用kubectl),由
eks.Cluster.addResource()
部署的应用程序 - AWS Secrets Manager,其中包含我希望可用于EKS应用程序的一组秘密
- EKS deployed by aws-cdk script, with kubectl enabled, and apps deployed by
eks.Cluster.addResource()
- AWS Secrets Manager with a set of secrets I want to be available for EKS application
我试图通过这种方式部署Secret:
I tried to deploy Secret this way:
import * as sm from "@aws-cdk/aws-secretsmanager";
getSecret(secretKey: string): string {
let secretTokens = sm.Secret.fromSecretArn(scope, "ImportedSecrets", awsSecretStorageArn);
return secretTokens.secretValueFromJson(secretKey).toString();
}
createKubernetesImagePullSecrets(k8s: eks.Cluster): void {
let eksSecretStorageName = this.env.awsResourcesConfig.k8sImagePullSecretStorageName;
k8s.addResource(eksSecretStorageName, {
apiVersion: "v1",
kind: "Secret",
metadata: {
name: eksSecretStorageName,
},
data: {
".dockerconfigjson": this.getSecret('hub-secret'),
},
type: "kubernetes.io/dockerconfigjson",
});
}
我从CloudFormation遇到错误:
I'm getting an error from CloudFormation:
版本"v1"中的秘密不能作为秘密处理:v1.Secret.ObjectMeta:v1.ObjectMeta.TypeMeta:种类:数据:解码base64:输入字节0处的非法base64数据
Secret in version "v1" cannot be handled as a Secret: v1.Secret.ObjectMeta: v1.ObjectMeta.TypeMeta: Kind: Data: decode base64: illegal base64 data at input byte 0
之所以发生这种情况,是因为秘密令牌未扩展,并且".dockerconfigjson"字段值在这种情况下看起来像是 $ {Token [TOKEN.417]}
This happens because the secret token is not expanded and the ".dockerconfigjson" field value, in this case, looks like ${Token[TOKEN.417]}
是否有一种方法可以在部署过程中正确部署EKS秘密资源并扩展秘密令牌?
Is there a way to deploy the EKS Secret resource and expand secret tokens correctly during deployment?
推荐答案
为此,我创建了一个临时解决方法,方法是使用 aws-cli
下载纯文本版本的机密.不是安全的方法,但是可以.如果您有更安全的解决方案,请不要使用它.
I created a temporary workaround for this, by downloading a plain-text version of secrets with aws-cli
. Not a safe way, but works. Do not use this if you have a more secure solution.
import { execSync } from "child_process";
extractSecretValues(awsSecretStorageArn: string) : Map<string, string> {
let map = new Map<string, string>();
let secretsContent = execSync(`aws secretsmanager get-secret-value --secret-id ${awsSecretStorageArn}`).toString();
let secrets = JSON.parse(secretsContent);
if (!secrets)
throw new Error(`Secret values could not be extracted from ${awsSecretStorageArn}`);
if (secrets.SecretString) {
let secretValuesObj = JSON.parse(secrets.SecretString);
for (let [secretKey, secretValue] of Object.entries<string>(secretValuesObj)) {
map.set(secretKey, secretValue);
}
}
return map;
}
let secretValueMap = extractSecretValues();
createKubernetesImagePullSecrets(k8s: eks.Cluster): void {
let eksSecretStorageName = this.env.awsResourcesConfig.k8sImagePullSecretStorageName;
k8s.addResource(eksSecretStorageName, {
apiVersion: "v1",
kind: "Secret",
metadata: {
name: eksSecretStorageName,
},
data: {
".dockerconfigjson": secretValueMap.get('hub-secret'),
},
type: "kubernetes.io/dockerconfigjson",
});
}
这篇关于如何使用aws-cdk从AWS Secrets Manager导入EKS机密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!