为什么建议在 AWS SecretsManager 中手动配置预先存在的秘密,而不是通过 CDK/Cloudformation?
Why is it recommended to manually provision pre-existing secrets in AWS SecretsManager as opposed via CDK/Cloudformation?
引自aws cdk docs:
If you need to use a pre-existing secret, the recommended way is to manually provision the secret in AWS SecretsManager and use the Secret.fromSecretArn or Secret.fromSecretAttributes method to make it available in your CDK Application
这是为什么?是不是明文密文存成代码不理想?
或者我们不希望秘密出现在cloudformation模板中?
是的,是的。早期的 CDK 版本甚至不允许将文本值传递给 Secret 构造函数。我们only recently got the secretStringBeta1: string 强烈警告:
It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
我们的 CDK 代码和生成的模板是 deterministic and version-controlled,如果使用明文秘密,进一步增加了泄漏的风险。
编辑: 根据@gshpychka 的评论,使用 Secret.fromSecretArn 导入的安全替代方法是构建一个没有秘密值的新 Secret。这会创建一个带有随机密码的秘密,您可以在控制台中更改 post-deploy。这种方法有助于将秘密的生命周期与 Stack 联系起来,并允许您在 Stack 的上下文中设置其属性。
引自aws cdk docs:
If you need to use a pre-existing secret, the recommended way is to manually provision the secret in AWS SecretsManager and use the Secret.fromSecretArn or Secret.fromSecretAttributes method to make it available in your CDK Application
这是为什么?是不是明文密文存成代码不理想?
或者我们不希望秘密出现在cloudformation模板中?
是的,是的。早期的 CDK 版本甚至不允许将文本值传递给 Secret 构造函数。我们only recently got the secretStringBeta1: string 强烈警告:
It is highly encouraged to leave this field undefined and allow SecretsManager to create the secret value. The secret string -- if provided -- will be included in the output of the cdk as part of synthesis, and will appear in the CloudFormation template in the console. This can be secure(-ish) if that value is merely reference to another resource (or one of its attributes), but if the value is a plaintext string, it will be visible to anyone with access to the CloudFormation template (via the AWS Console, SDKs, or CLI).
我们的 CDK 代码和生成的模板是 deterministic and version-controlled,如果使用明文秘密,进一步增加了泄漏的风险。
编辑: 根据@gshpychka 的评论,使用 Secret.fromSecretArn 导入的安全替代方法是构建一个没有秘密值的新 Secret。这会创建一个带有随机密码的秘密,您可以在控制台中更改 post-deploy。这种方法有助于将秘密的生命周期与 Stack 联系起来,并允许您在 Stack 的上下文中设置其属性。