在 AWS Cloudformation 中指定 Secret Manager 值的动态引用 [英] Dynamic References to Specify Secret Manager Values in AWS Cloudformation

问题描述

无论如何我们可以传递动态引用Secret Manager 到 AWS启动配置用户数据?

这是我试过的代码片段:

"SampleLaunchConfig": {"Type": "AWS::AutoScaling::LaunchConfiguration",特性": {图像ID":{"Fn::FindInMap": ["AWSRegionArch2AMI",{"Ref": "AWS::Region"},阿米"]},用户数据": {Fn::Base64":{"Fn::Join": ["",["#!/bin/bash -xe
","yum update -y
","useradd -p <<pwd>>{{resolve:secretsmanager:Credentials:SecretString:userName}}
","
"]]}}}}

获取 useradd 时出现错误:无效的用户名 '{{resolve:secretsmanager:Credentials:SecretString:userName}}'

如何将 Secret Manager 秘密值传递给 cloudformation 用户数据?

解决方案

看来 {{resolve:...}} 动态引用仅在模板内的某些上下文中展开.

AWS 文档中没有关于您可以在模板中的确切位置使用这些参考的准确信息.目前关于 {{resolve:secretsmanager:...}} 的措辞是:

<块引用>

secretsmanager 动态引用可用于所有资源属性"

然而，这与您的示例相矛盾，我还观察到动态引用无法在 CloudFormation::Init 数据内部解析.

我与 AWS 就此展开了一个有效的支持案例，他们同意动态引用的行为记录不充分.我会在了解更多信息后更新此答案.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager

Is there anyway we can pass dynamic references to Secret Manager to AWS Launch Config User Data?

Here is the code snippet I tried:

"SampleLaunchConfig": {
            "Type": "AWS::AutoScaling::LaunchConfiguration",
             "Properties": {
                "ImageId": {
                    "Fn::FindInMap": [
                        "AWSRegionArch2AMI",
                        {
                            "Ref": "AWS::Region"
                        },
                        "AMI"
                    ]
                },
                "UserData": {
                    "Fn::Base64": {
                        "Fn::Join": [
                            "",
                            [
                                "#!/bin/bash -xe
",
                                "yum update -y
",
                                "useradd -p <<pwd>>{{resolve:secretsmanager:Credentials:SecretString:userName}}
",
                                "
"
                            ]
                        ]
                    }
                }
        }
    }

Seems error in getting the useradd: invalid user name '{{resolve:secretsmanager:Credentials:SecretString:userName}}'

How can I pass Secret Manager secret value to cloudformation user data ?

解决方案

It seems that {{resolve:...}} dynamic references are only expanded in certain contexts within a template.

There is no precise information in the AWS docs about exactly where in a template you can use these references. The current wording with regard to {{resolve:secretsmanager:...}} says:

"The secretsmanager dynamic reference can be used in all resource properties"

However this is contradicted by your example, and I've also observed dynamic references failing to resolve inside of CloudFormation::Init data.

I have an active Support case open with AWS about this, they have agreed that the behaviour of dynamic references is inadequately documented. I'll update this answer as I learn more.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager

这篇关于在 AWS Cloudformation 中指定 Secret Manager 值的动态引用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！