使用 CloudFormation 创建 Secrets Manager 但保持值不可见
Create Secrets Manager using CloudFormation but keeping values not visible
我有一个 CloudFormation 模板可以在 Secrets Manager 中创建 Secret。我当前的模板与此类似(基于 aws 文档 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html):
{
"Resources": {
"MyCredentials": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "prod/web/api",
"Description": "",
"SecretString": "{
\"Client_id\":\"my_client_id\",
\"Client_secret\":\"a_super_secret_value\"
}"
}
}
}
}
我的问题是我不能使用 GenerateSecretString 属性,因为密码是从外部组织定义的,所以我不能自己更改或创建值,这样秘密值就可以是从 CloudFormation 中的模板查看。
是否可以实现此目的,或者我需要手动创建机密?
您可以使用 AWS SSM Parameter,其中外部组织已授予对 add/update 密码的权限,或者团队中的某人也这样做。
密码存在后,您可以通过 dynamic references 读取您的 cloudformation 模板,如下所示,
The following example uses an ssm-secure dynamic reference to set the password for an IAM user to a secure string stored in Systems Manager Parameter Store. As specified, CloudFormation will use version 10 of the IAMUserPassword parameter for stack and change set operations.
"MyIAMUser": {
"Type": "AWS::IAM::User",
"Properties": {
"UserName": "MyUserName",
"LoginProfile": {
"Password": "{{resolve:ssm-secure:IAMUserPassword:10}}"
}
}
}
或 static reference 如下所示:
here Accessing the AvailabilityZone param stored in SSM.
"AvailabilityZone": {
"Description": "Amazon EC2 instance Availablity Zone",
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "AvailabilityZone"
}
Using AWS Systems Manager Parameter Store Secure String parameters in AWS CloudFormation templates
中有更多示例
我有一个 CloudFormation 模板可以在 Secrets Manager 中创建 Secret。我当前的模板与此类似(基于 aws 文档 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html):
{
"Resources": {
"MyCredentials": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "prod/web/api",
"Description": "",
"SecretString": "{
\"Client_id\":\"my_client_id\",
\"Client_secret\":\"a_super_secret_value\"
}"
}
}
}
}
我的问题是我不能使用 GenerateSecretString 属性,因为密码是从外部组织定义的,所以我不能自己更改或创建值,这样秘密值就可以是从 CloudFormation 中的模板查看。
是否可以实现此目的,或者我需要手动创建机密?
您可以使用 AWS SSM Parameter,其中外部组织已授予对 add/update 密码的权限,或者团队中的某人也这样做。
密码存在后,您可以通过 dynamic references 读取您的 cloudformation 模板,如下所示,
The following example uses an ssm-secure dynamic reference to set the password for an IAM user to a secure string stored in Systems Manager Parameter Store. As specified, CloudFormation will use version 10 of the IAMUserPassword parameter for stack and change set operations.
"MyIAMUser": {
"Type": "AWS::IAM::User",
"Properties": {
"UserName": "MyUserName",
"LoginProfile": {
"Password": "{{resolve:ssm-secure:IAMUserPassword:10}}"
}
}
}
或 static reference 如下所示:
here Accessing the AvailabilityZone param stored in SSM.
"AvailabilityZone": {
"Description": "Amazon EC2 instance Availablity Zone",
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "AvailabilityZone"
}
Using AWS Systems Manager Parameter Store Secure String parameters in AWS CloudFormation templates
中有更多示例