如何在 CloudFormation 文件中分配 AWS SecretsManager 策略?
How to assign AWS SecretsManager policies in CloudFormation file?
我正在使用 AWS Lambda、API 网关和 RDS (MySQL) 开发 REST API。我正在使用 Node.js.
为了保护数据库凭据,我访问了 AWS Web 控制台并创建了一个新密钥。
现在我需要在我的 Lambda 函数中访问这些。我知道我必须分配 SecretsManagerReadWrite 权限,但我不知道该怎么做。
下面是我的 CloudFormation 配置文件。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
VpcConfig:
SecurityGroupIds:
- sg-041f2455252528e
SubnetIds:
- subnet-0385252525
Resources:
GetAllAccountingTypesFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi/
Handler: accountingtypes-getall.getallaccountingtypes
Runtime: nodejs14.x
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accountingtypes/getallaccountingtypes
Method: get
LambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeInstances
- ec2:AttachNetworkInterface
Resource: '*'
Outputs:
# ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
# Find out more about other implicit resources you can reference within SAM
# https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
HelloWorldApi:
Description: "API Gateway endpoint URL for Prod stage for functions"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
在这个文件中,我如何才能为我的 Lambda 函数授予权限?
根据评论。
通常的做法是访问您的 lambda 函数中的秘密值。这需要向 lambda 执行角色授予 权限 才能访问机密。
在您的 CloudFormation 模板中,您可以将秘密名称(不是它的值)作为 环境变量 传递给 lambda 函数。
我正在使用 AWS Lambda、API 网关和 RDS (MySQL) 开发 REST API。我正在使用 Node.js.
为了保护数据库凭据,我访问了 AWS Web 控制台并创建了一个新密钥。
现在我需要在我的 Lambda 函数中访问这些。我知道我必须分配 SecretsManagerReadWrite 权限,但我不知道该怎么做。
下面是我的 CloudFormation 配置文件。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
VpcConfig:
SecurityGroupIds:
- sg-041f2455252528e
SubnetIds:
- subnet-0385252525
Resources:
GetAllAccountingTypesFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi/
Handler: accountingtypes-getall.getallaccountingtypes
Runtime: nodejs14.x
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accountingtypes/getallaccountingtypes
Method: get
LambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeInstances
- ec2:AttachNetworkInterface
Resource: '*'
Outputs:
# ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
# Find out more about other implicit resources you can reference within SAM
# https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
HelloWorldApi:
Description: "API Gateway endpoint URL for Prod stage for functions"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
在这个文件中,我如何才能为我的 Lambda 函数授予权限?
根据评论。
通常的做法是访问您的 lambda 函数中的秘密值。这需要向 lambda 执行角色授予 权限 才能访问机密。
在您的 CloudFormation 模板中,您可以将秘密名称(不是它的值)作为 环境变量 传递给 lambda 函数。