在 Cloudformation 中使用 AWS Secrets Manager 的 Secret
Using AWS Secrets manager's Secret in Cloudformation
我想将 read_only_user 的密码导出到 EC2 实例。如何访问 UserData 中创建的密码?
Resources:
ReadOnlyUserCredentials:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub "${AWS::StackName}/readonly-user-credentials"
GenerateSecretString:
SecretStringTemplate: '{"username": "read_only_user"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
WebServer:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-a4c7edb2
InstanceType: t2.micro
UserData:
Fn::Base64: !Sub |
#!/bin/bash
echo "${!Join ['', ['{{resolve:secretsmanager:', !Ref ReadOnlyUserCredentials, ':SecretString:password}}' ]]}" > password
我尝试使用 !Join,但当然不起作用。非常感谢您的帮助。
更新:
UserData:
Fn::Base64:
Fn::Sub:
- |
echo ${PasswordStr} > password
- PasswordStr: !Join ['', ['{{resolve:secretsmanager:', !Ref ReadOnlyUserCredentials, ':SecretString:password}}' ]]
通过更改如上所示的代码,我确实得到了解析字符串,但它并没有给我实际的密码。如何解析 arn 以获取明文密码?
您可能不希望 CFN 在用户数据中扩展您的秘密,因为密码将嵌入在 EC2 控制台中可见的 base64 编码用户数据脚本中。
相反,您应该利用这样一个事实,即您有一个在主机上执行的脚本,并在脚本执行时调用机密管理器(警告,未测试):
Resources:
ReadOnlyUserCredentials:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub "${AWS::StackName}/readonly-user-credentials"
GenerateSecretString:
SecretStringTemplate: '{"username": "read_only_user"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
WebServer:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-a4c7edb2
InstanceType: t2.micro
UserData:
Fn::Base64: !Sub |
#!/bin/bash
yum update -y
yum install -y jq
aws --region ${AWS::Region} secretsmanager get-secret-value --secret-id !Ref ReadOnlyUserCredentials --query SecretString --output text | jq -r .password > password
我想将 read_only_user 的密码导出到 EC2 实例。如何访问 UserData 中创建的密码?
Resources:
ReadOnlyUserCredentials:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub "${AWS::StackName}/readonly-user-credentials"
GenerateSecretString:
SecretStringTemplate: '{"username": "read_only_user"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
WebServer:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-a4c7edb2
InstanceType: t2.micro
UserData:
Fn::Base64: !Sub |
#!/bin/bash
echo "${!Join ['', ['{{resolve:secretsmanager:', !Ref ReadOnlyUserCredentials, ':SecretString:password}}' ]]}" > password
我尝试使用 !Join,但当然不起作用。非常感谢您的帮助。
更新:
UserData:
Fn::Base64:
Fn::Sub:
- |
echo ${PasswordStr} > password
- PasswordStr: !Join ['', ['{{resolve:secretsmanager:', !Ref ReadOnlyUserCredentials, ':SecretString:password}}' ]]
通过更改如上所示的代码,我确实得到了解析字符串,但它并没有给我实际的密码。如何解析 arn 以获取明文密码?
您可能不希望 CFN 在用户数据中扩展您的秘密,因为密码将嵌入在 EC2 控制台中可见的 base64 编码用户数据脚本中。
相反,您应该利用这样一个事实,即您有一个在主机上执行的脚本,并在脚本执行时调用机密管理器(警告,未测试):
Resources:
ReadOnlyUserCredentials:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub "${AWS::StackName}/readonly-user-credentials"
GenerateSecretString:
SecretStringTemplate: '{"username": "read_only_user"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/\'
WebServer:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-a4c7edb2
InstanceType: t2.micro
UserData:
Fn::Base64: !Sub |
#!/bin/bash
yum update -y
yum install -y jq
aws --region ${AWS::Region} secretsmanager get-secret-value --secret-id !Ref ReadOnlyUserCredentials --query SecretString --output text | jq -r .password > password