CloudFormation 的秘密 [英] CloudFormation Secrets

问题描述

我想坚持所有基础设施都是代码"的政策.但是，对于 CloudFormation 的机密，我看不出有什么方法可以做到这一点.

I would like to stick to a policy of "all infrastructure is code". However, I can't see a way to do that for secrets with CloudFormation.

SecretsManager 要求您以纯文本形式指定 SecretString.即使您从某处注入解密的值，纯文本字符串也会显示在模板视图的 CF 控制台中:/

SecretsManager requires that you specify the SecretString in plain text. Even if you inject a decrypted value from somewhere, the plain text string shows up in the CF console in the template view :/

在 SSM 中也不可能使用加密字符串.文档说，AWS CloudFormation 不支持创建 SecureString 参数类型."

It is also impossible to use encrypted strings in SSM. The docs say, "AWS CloudFormation doesn't support creating a SecureString parameter type."

真的没有办法使用 CloudFormation 来安全地将机密管理为代码吗?

Is there really no way to use CloudFormation to securely manage secrets as code?

推荐答案

您可以使用 Secret 资源在 CloudFormation 中创建 SecretsManager 机密.有一种方法可以在 SecretString 中生成一个值(它使用 GenerateRandomPassword API).查看 GenerateSecretString财产.

You can use the Secret resource in CloudFormation to create SecretsManager secrets. There is a way to generate a value in the SecretString (which uses the GenerateRandomPassword API). Look at the GenerateSecretString property.

这应该可以帮助您生成密码，而无需在模板中对其进行硬编码.

That should help you with generating a password without hardcoding it in a template.

还有一个 RotationSchedule 可帮助您为机密设置自动轮换的资源.

There is also a RotationSchedule resource to help you set up automatic rotation for your secret.

要使用存储在 SecretsManager 密钥或 Parameter Store 参数中的密钥值，请使用 动态引用.动态引用保证秘密值不会记录在 CFN 中或显示在控制台中.

To use the secret values stored in a SecretsManager secret or Parameter Store paramter, use dynamic references. Dynamic refs guarantee that the secret value is not logged in CFN or displayed in the console.

无法创建/生成 SecureString 参数.

There is no way to create/generate a SecureString parameter in Parameter Store/Systems Manager currently.

这篇关于CloudFormation 的秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！