AWS SAM 使用动态引用从 Secret Manager 检索秘密值
AWS SAM retrieve secret value from Secret Manager with dynamic referencing
我一直在关注来自 AWS 的 this 官方文档,了解如何使用存储在 SAM template.yaml 文件中的 Secret Manager 中的秘密,这是我所做的:
Environment:
Variables:
DUMMY_VARIABLE: '{{resolve:secretsmanager:dummy/secret:SecretString:key1}}'
一切正常,我可以看到正在检索机密,但是,如果我更改机密管理器中的机密值,并通过 sam deploy 命令环境值重新部署 Lambda 函数来自 Secret Manager 的变量保持不变。
我没有指定版本阶段或版本 ID,但我可以通过指定密文的版本 ID 来解决问题,如下所示:
DUMMY_VARIABLE: '{{resolve:secretsmanager:dummy/secret:SecretString:key3::VERSION_ID_OF_THE_SECRET}}'
根据AWS官方文档:
If you don't
specify either a version stage or a version ID, then the default is to
retrieve the version with the version stage value of AWSCURRENT.
我的期望是它应该从 Secret Manager 获取当前值而不必指定版本 ID 和阶段,但这似乎没有发生!
在same page上有这样一段:
Updating a secret in Secrets Manager doesn't automatically update the secret in CloudFormation. In order for CloudFormation to update a secretsmanager dynamic reference, you must perform a stack update that updates the resource containing the dynamic reference, either by updating the resource property that contains the secretsmanager dynamic reference, or updating another of the resource's properties.For example, suppose in your template you specify the MasterPassword property of an AWS::RDS::DBInstance resource to be a secretsmanager dynamic reference, and then create a stack from the template. You later update that secret's value in Secret Manager, but don't update the AWS::RDS::DBInstance resource in your template. In this case, even if you perform a stack update, the secret value in the MasterPassword property isn't updated, and remains the previous secret value.
因此,不幸的是,秘密值存储在堆栈本身中。您可能需要在需要使用它的代码中通过 API 显式获取秘密值。
我一直在关注来自 AWS 的 this 官方文档,了解如何使用存储在 SAM template.yaml 文件中的 Secret Manager 中的秘密,这是我所做的:
Environment:
Variables:
DUMMY_VARIABLE: '{{resolve:secretsmanager:dummy/secret:SecretString:key1}}'
一切正常,我可以看到正在检索机密,但是,如果我更改机密管理器中的机密值,并通过 sam deploy 命令环境值重新部署 Lambda 函数来自 Secret Manager 的变量保持不变。
我没有指定版本阶段或版本 ID,但我可以通过指定密文的版本 ID 来解决问题,如下所示:
DUMMY_VARIABLE: '{{resolve:secretsmanager:dummy/secret:SecretString:key3::VERSION_ID_OF_THE_SECRET}}'
根据AWS官方文档:
If you don't specify either a version stage or a version ID, then the default is to retrieve the version with the version stage value of AWSCURRENT.
我的期望是它应该从 Secret Manager 获取当前值而不必指定版本 ID 和阶段,但这似乎没有发生!
在same page上有这样一段:
Updating a secret in Secrets Manager doesn't automatically update the secret in CloudFormation. In order for CloudFormation to update a secretsmanager dynamic reference, you must perform a stack update that updates the resource containing the dynamic reference, either by updating the resource property that contains the secretsmanager dynamic reference, or updating another of the resource's properties.For example, suppose in your template you specify the MasterPassword property of an AWS::RDS::DBInstance resource to be a secretsmanager dynamic reference, and then create a stack from the template. You later update that secret's value in Secret Manager, but don't update the AWS::RDS::DBInstance resource in your template. In this case, even if you perform a stack update, the secret value in the MasterPassword property isn't updated, and remains the previous secret value.
因此,不幸的是,秘密值存储在堆栈本身中。您可能需要在需要使用它的代码中通过 API 显式获取秘密值。