如何在 AWS CDK 中检索 SecretsManager 机密
How to retrieve SecretsManager secret in AWS CDK
我正在使用 CDK 在 AWS 中设置 Fargate 服务
const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(
this,
'FargateService',
{
vpc: ...,
taskImageOptions: {
image: ...,
containerPort: ...,
secrets: {
MY_ENV_VAR: Secret.fromSecretsManager(
**ISecret**,
'fieldWithinTheSecret'
),
}
}
}
)
我应该如何获得 ISecret 给定秘密名称的实例?
我查看了 AWS SDK 中的 AWS.SecretsManager,但它只有 returns 个字符串。
目前没有Secret.fromSecretName方法。假设您正在使用现有的秘密,您应该使用 Secret.fromSecretArn-方法。
请注意,如果您使用 KMS 密钥,则应使用 Secret.fromSecretAttributes 方法,如 Get a value from AWS secrets manager 所述。
import * as ecs from "@aws-cdk/aws-ecs";
import * as ecs_patterns from "@aws-cdk/aws-ecs-patterns";
import * as secretsmanager from "@aws-cdk/aws-secretsmanager";
const mySecret = secretsmanager.Secret.fromSecretArn(this, "mySecret", "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>");
const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(
this,
'FargateService',
{
vpc: ...,
taskImageOptions: {
image: ...,
containerPort: ...,
secrets: {
MY_ENV_VAR: ecs.Secret.fromSecretsManager(mySecret),
}
}
}
);
CDK 版本 2 的更新版本
您可以使用 Secret.fromSecretNameV2() 引用秘密并使用 Secret.secretValueFromJson('keyname').toString(); 检索特定的秘密值
参考下面的代码片段
const appSecret = Secret.fromSecretNameV2(this,'app-secret',"secret-name");
const value1 = appSecret.secretValueFromJson('KeyName1').toString();
const value2 = appSecret.secretValueFromJson('KeyName2').toString();
The best thing is, you can use this secret value anywhere like Cognito
Secrets, and it will not hardcode the secret value in your cloud
formation stack. Instead, it will use a token and it will be resolved
to the value when it is deployed.
我正在使用 CDK 在 AWS 中设置 Fargate 服务
const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(
this,
'FargateService',
{
vpc: ...,
taskImageOptions: {
image: ...,
containerPort: ...,
secrets: {
MY_ENV_VAR: Secret.fromSecretsManager(
**ISecret**,
'fieldWithinTheSecret'
),
}
}
}
)
我应该如何获得 ISecret 给定秘密名称的实例?
我查看了 AWS SDK 中的 AWS.SecretsManager,但它只有 returns 个字符串。
目前没有Secret.fromSecretName方法。假设您正在使用现有的秘密,您应该使用 Secret.fromSecretArn-方法。
请注意,如果您使用 KMS 密钥,则应使用 Secret.fromSecretAttributes 方法,如 Get a value from AWS secrets manager 所述。
import * as ecs from "@aws-cdk/aws-ecs";
import * as ecs_patterns from "@aws-cdk/aws-ecs-patterns";
import * as secretsmanager from "@aws-cdk/aws-secretsmanager";
const mySecret = secretsmanager.Secret.fromSecretArn(this, "mySecret", "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-<random-6-characters>");
const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(
this,
'FargateService',
{
vpc: ...,
taskImageOptions: {
image: ...,
containerPort: ...,
secrets: {
MY_ENV_VAR: ecs.Secret.fromSecretsManager(mySecret),
}
}
}
);
CDK 版本 2 的更新版本
您可以使用 Secret.fromSecretNameV2() 引用秘密并使用 Secret.secretValueFromJson('keyname').toString(); 检索特定的秘密值
参考下面的代码片段
const appSecret = Secret.fromSecretNameV2(this,'app-secret',"secret-name");
const value1 = appSecret.secretValueFromJson('KeyName1').toString();
const value2 = appSecret.secretValueFromJson('KeyName2').toString();
The best thing is, you can use this secret value anywhere like Cognito Secrets, and it will not hardcode the secret value in your cloud formation stack. Instead, it will use a token and it will be resolved to the value when it is deployed.