我有一个 CloudFormation 模板来在 Secrets Manager 中创建 Secret。我当前的模板与此类似(基于 aws 文档 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html ):
{
"Resources": {
"MyCredentials": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "prod/web/api",
"Description": "",
"SecretString": "{
\"Client_id\":\"my_client_id\",
\"Client_secret\":\"a_super_secret_value\"
}"
}
}
}
}
我的问题是我无法使用GenerateSecretString属性,因为密码是从外部组织定义的,所以我无法自己更改或创建该值,这样可以从CloudFormation中的模板查看 secret 值.
是否可以实现此目的,或者我需要手动创建 secret ?
最佳答案
您可以使用AWS SSM Parameter ,外部组织已授予在那里添加/更新密码的权限,或者团队中的某人执行相同的操作。
密码存在后,您可以通过dynamic references读取您的cloudformation模板。就像下面这样,
The following example uses an ssm-secure dynamic reference to set the password for an IAM user to a secure string stored in Systems Manager Parameter Store. As specified, CloudFormation will use version 10 of the IAMUserPassword parameter for stack and change set operations.
"MyIAMUser": {
"Type": "AWS::IAM::User",
"Properties": {
"UserName": "MyUserName",
"LoginProfile": {
"Password": "{{resolve:ssm-secure:IAMUserPassword:10}}"
}
}
}
或者static reference如下所示:
here Accessing the AvailabilityZone param stored in SSM.
"AvailabilityZone": {
"Description": "Amazon EC2 instance Availablity Zone",
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "AvailabilityZone"
}
更多示例参见Using AWS Systems Manager Parameter Store Secure String parameters in AWS CloudFormation templates
关于amazon-web-services - 使用 CloudFormation 创建 Secrets Manager 但保持值不可见,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65722367/