AWS SecretsManager 值无法解析
AWS SecretsManager value won't resolve
我正在使用 aws-cdk-lib (2.13.0)。这是我的代码片段:
import { App, Stack } from 'aws-cdk-lib';
import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
export class CognitoStack extends Stack {
constructor(scope: App) {
super(scope, 'cognito');
const secret = this.getSecret('google');
console.log({ secret });
}
public getSecret(path: string) {
const secret = Secret.fromSecretNameV2(this, `Secret${path}`, path);
console.log({ path, secret, secretArn: secret.secretArn, string: secret.secretValue.toString() });
return secret.secretValue.toJSON();
}
}
生成的日志如下所示:
{
path: 'google',
secret: <ref *1> SecretBase {
node: Node {
host: [Circular *1],
_locked: false,
_children: {},
_context: {},
_metadata: [],
_dependencies: Set(0) {},
_validations: [Array],
id: 'Secretgoogle',
scope: [CognitoStack]
},
stack: CognitoStack {
node: [Node],
_missingContext: [],
_stackDependencies: {},
templateOptions: {},
_logicalIds: [LogicalIDs],
account: '${Token[AWS.AccountId.4]}',
region: '${Token[AWS.Region.8]}',
environment: 'aws://unknown-account/unknown-region',
terminationProtection: undefined,
_stackName: 'cognito',
tags: [TagManager],
artifactId: 'cognito',
templateFile: 'cognito.template.json',
_versionReportingEnabled: true,
synthesizer: [DefaultStackSynthesizer],
[Symbol(@aws-cdk/core.DependableTrait)]: [Object]
},
env: {
account: '${Token[AWS.AccountId.4]}',
region: '${Token[AWS.Region.8]}'
},
_physicalName: undefined,
_allowCrossEnvironment: false,
physicalName: '${Token[TOKEN.332]}',
encryptionKey: undefined,
secretName: 'google',
secretArn: 'arn:${Token[AWS.Partition.7]}:secretsmanager:${Token[AWS.Region.8]}:${Token[AWS.AccountId.4]}:secret:google',
autoCreatePolicy: false,
[Symbol(@aws-cdk/core.DependableTrait)]: { dependencyRoots: [Array] }
},
secretArn: 'arn:${Token[AWS.Partition.7]}:secretsmanager:${Token[AWS.Region.8]}:${Token[AWS.AccountId.4]}:secret:google',
string: '${Token[TOKEN.333]}'
}
{ secret: '<unresolved-token>' }
npx cdk diff sandbox-cognito 的结果如下所示:
Stack sandbox-cognito
Resources
[~] AWS::Cognito::UserPoolIdentityProvider Google GoogleAF1E99FA
└─ [~] ProviderDetails
├─ [-] Removed: .client_id
└─ [-] Removed: .client_secret
这意味着它正在删除我能够手动设置的 client_id/client_secret。现在我正在尝试从秘密中加载值,但它不起作用。
问题是我无法解析 JSON(注意日志中的 <unresolved-token>。我认为它尚未解决,但我不确定如何解决.. . 它试图解析这个字符串文字:${Token[TOKEN.333]},而不是秘密值。我怎样才能得到秘密字符串的结果?
将您现有的机密导入为 SecretValue。使用 .toString() 方法将其传递给 clientSecret:string 道具。
// Existing secret as SecretValue. Or use Secret.fromSecretNameV2.
const secretVal = cdk.SecretValue.secretsManager('GoogleSecrets', {
jsonField: 'client-secret',
});
new cognito.UserPoolIdentityProviderGoogle(this, 'GoogleProvider', {
userPool,
// creates a dynamic reference which resolves to the actual secret value at deploy-time
clientSecret: secretVal.toString(),
clientId: 'my-id',
});
说明
SecretValue.toString() 在生命周期中“解析”为不同的值:
当你 console.log 它时,你会在模板中得到一个(无用的)不透明占位符 Token value like ${Token[TOKEN.198]}. At synth-time CDK renders a CloudFormation dynamic reference:
//my-stack.template.json
{"client_secret": "{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:123456789012:secret:GoogleSecrets:SecretString:client-secret::}}"}
在 deploy-time,CloudFormation 从动态引用“解析”实际 秘密值。
重要的一点是,实际的秘密值永远不会暴露给您的本地环境或模板人工制品。
我正在使用 aws-cdk-lib (2.13.0)。这是我的代码片段:
import { App, Stack } from 'aws-cdk-lib';
import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
export class CognitoStack extends Stack {
constructor(scope: App) {
super(scope, 'cognito');
const secret = this.getSecret('google');
console.log({ secret });
}
public getSecret(path: string) {
const secret = Secret.fromSecretNameV2(this, `Secret${path}`, path);
console.log({ path, secret, secretArn: secret.secretArn, string: secret.secretValue.toString() });
return secret.secretValue.toJSON();
}
}
生成的日志如下所示:
{
path: 'google',
secret: <ref *1> SecretBase {
node: Node {
host: [Circular *1],
_locked: false,
_children: {},
_context: {},
_metadata: [],
_dependencies: Set(0) {},
_validations: [Array],
id: 'Secretgoogle',
scope: [CognitoStack]
},
stack: CognitoStack {
node: [Node],
_missingContext: [],
_stackDependencies: {},
templateOptions: {},
_logicalIds: [LogicalIDs],
account: '${Token[AWS.AccountId.4]}',
region: '${Token[AWS.Region.8]}',
environment: 'aws://unknown-account/unknown-region',
terminationProtection: undefined,
_stackName: 'cognito',
tags: [TagManager],
artifactId: 'cognito',
templateFile: 'cognito.template.json',
_versionReportingEnabled: true,
synthesizer: [DefaultStackSynthesizer],
[Symbol(@aws-cdk/core.DependableTrait)]: [Object]
},
env: {
account: '${Token[AWS.AccountId.4]}',
region: '${Token[AWS.Region.8]}'
},
_physicalName: undefined,
_allowCrossEnvironment: false,
physicalName: '${Token[TOKEN.332]}',
encryptionKey: undefined,
secretName: 'google',
secretArn: 'arn:${Token[AWS.Partition.7]}:secretsmanager:${Token[AWS.Region.8]}:${Token[AWS.AccountId.4]}:secret:google',
autoCreatePolicy: false,
[Symbol(@aws-cdk/core.DependableTrait)]: { dependencyRoots: [Array] }
},
secretArn: 'arn:${Token[AWS.Partition.7]}:secretsmanager:${Token[AWS.Region.8]}:${Token[AWS.AccountId.4]}:secret:google',
string: '${Token[TOKEN.333]}'
}
{ secret: '<unresolved-token>' }
npx cdk diff sandbox-cognito 的结果如下所示:
Stack sandbox-cognito
Resources
[~] AWS::Cognito::UserPoolIdentityProvider Google GoogleAF1E99FA
└─ [~] ProviderDetails
├─ [-] Removed: .client_id
└─ [-] Removed: .client_secret
这意味着它正在删除我能够手动设置的 client_id/client_secret。现在我正在尝试从秘密中加载值,但它不起作用。
问题是我无法解析 JSON(注意日志中的 <unresolved-token>。我认为它尚未解决,但我不确定如何解决.. . 它试图解析这个字符串文字:${Token[TOKEN.333]},而不是秘密值。我怎样才能得到秘密字符串的结果?
将您现有的机密导入为 SecretValue。使用 .toString() 方法将其传递给 clientSecret:string 道具。
// Existing secret as SecretValue. Or use Secret.fromSecretNameV2.
const secretVal = cdk.SecretValue.secretsManager('GoogleSecrets', {
jsonField: 'client-secret',
});
new cognito.UserPoolIdentityProviderGoogle(this, 'GoogleProvider', {
userPool,
// creates a dynamic reference which resolves to the actual secret value at deploy-time
clientSecret: secretVal.toString(),
clientId: 'my-id',
});
说明
SecretValue.toString() 在生命周期中“解析”为不同的值:
当你 console.log 它时,你会在模板中得到一个(无用的)不透明占位符 Token value like ${Token[TOKEN.198]}. At synth-time CDK renders a CloudFormation dynamic reference:
//my-stack.template.json
{"client_secret": "{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:123456789012:secret:GoogleSecrets:SecretString:client-secret::}}"}
在 deploy-time,CloudFormation 从动态引用“解析”实际 秘密值。
重要的一点是,实际的秘密值永远不会暴露给您的本地环境或模板人工制品。