Amazon cloudformation 使用导出的值
我可以使用此cloudformation模板导出密钥 但是如何将保存的密钥直接导入另一个模板的“UserData”部分呢?我试过这个,但不起作用Amazon cloudformation 使用导出的值,amazon-cloudformation,Amazon Cloudformation,我可以使用此cloudformation模板导出密钥 但是如何将保存的密钥直接导入另一个模板的“UserData”部分呢?我试过这个,但不起作用 aws-ec2-assign-elastic-ip --access-key !Ref {"Fn::ImportValue" : "accessKey" } --secret-key --valid-ips 35.174.198.170 模板的其余部分(没有访问权限和密钥引用)按预期工作 评论中的建议似乎是正确的。我可以使用ImportValue直
aws-ec2-assign-elastic-ip --access-key !Ref {"Fn::ImportValue" : "accessKey" } --secret-key --valid-ips 35.174.198.170
模板的其余部分(没有访问权限和密钥引用)按预期工作
评论中的建议似乎是正确的。我可以使用ImportValue直接引用名称(例如本例中的“accessKey”)
AWSTemplateFormatVersion: '2010-09-09'
Metadata:
License: Apache-2.0
Description: 'AWS CloudFormation Sample Template'
Resources:
CFNUser:
Type: AWS::IAM::User
Outputs:
AccessKey:
Value:
Fn::ImportValue: accessKey
Description: AWSAccessKeyId of new user
例如,如果已由其他模板导出,则上述模板将返回accessKey的值。因此,如果这是执行导出的脚本(对不起,这是yaml格式的脚本) 下面是一个示例,说明如何在import cloudformation脚本中导入userdata中的这些值:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Test instance stack",
"Parameters": {
"KeyName": {
"Description": "The EC2 Key Pair to allow SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"BaseImage": {
"Description": "The AMI to use for machines.",
"Type": "String"
},
"VPCID": {
"Description": "ID of the VPC",
"Type": "String"
},
"SubnetID": {
"Description": "ID of the subnet",
"Type": "String"
}
},
"Resources": {
"InstanceSecGrp": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Instance Security Group",
"SecurityGroupIngress": [{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}],
"SecurityGroupEgress": [{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}],
"VpcId": {
"Ref": "VPCID"
}
}
},
"SingleInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"KeyName": {
"Ref": "KeyName"
},
"ImageId": {
"Ref": "BaseImage"
},
"InstanceType": "t2.micro",
"Monitoring": "false",
"BlockDeviceMappings": [{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": "20",
"VolumeType": "gp2"
}
}],
"NetworkInterfaces": [{
"GroupSet": [{
"Ref": "InstanceSecGrp"
}],
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"DeleteOnTermination": "true",
"SubnetId": {
"Ref": "SubnetID"
}
}],
"UserData": {
"Fn::Base64": {
"Fn::Join": ["", [
"#!/bin/bash -xe\n",
"yum install httpd -y\n",
"sudo sh -c \"echo ",
{ "Fn::ImportValue" : "secretKey" },
" >> /home/ec2-user/mysecret.txt\" \n",
"sudo sh -c \"echo ",
{ "Fn::ImportValue" : "accessKey" },
" >> /home/ec2-user/myaccesskey.txt\" \n"
]]
}
}
}
}
}
}
在本例中,我只是将导入的值回显到一个文件中。如果您使用ssh连接到SingleInstance并检查/var/lib/cloud/instance/scripts/part-001
上的日志,那么您将看到服务器上的用户数据脚本是什么样子的。在我的例子中,该文件的内容是(键的值不是实数):
以此为起点,您可以使用导入值执行任何需要的操作
我已经用上面的脚本测试了所有这些,一切都正常。你能展示你的用户数据部分,包括你的导入值吗section@WarrenG对第二个github链接中提到了它。问题是我可以使用以下方法导入值:!Ref{“Fn::ImportValue”:“accessKey”}尝试itTemplate验证时会发生什么错误:模板格式错误:JSON格式不正确。(第64行,第59列)虽然这段代码有效,但我无法在用户数据中引用accessKey。尝试时会发生什么?获取错误:模板验证错误:模板格式错误:JSON格式不正确。(第64行,第59列)您想使用Json还是我可以给您举一个yamlJSON的例子是首选。像这样的。但是不起作用。两个模板都按预期工作。但是你会建议任何优化吗?在你的用户数据中有任何密钥不是一个好主意,因为任何具有控制台访问权限或服务器访问权限的人都可以查看你的密钥。在第一个模板中,我将密钥保存到secrets manager(),在第二个模板中,我将执行aws cli命令以获取secret值()。确定。知道了。除了秘钥之外,您还有什么不同的做法吗?
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Test instance stack",
"Parameters": {
"KeyName": {
"Description": "The EC2 Key Pair to allow SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"BaseImage": {
"Description": "The AMI to use for machines.",
"Type": "String"
},
"VPCID": {
"Description": "ID of the VPC",
"Type": "String"
},
"SubnetID": {
"Description": "ID of the subnet",
"Type": "String"
}
},
"Resources": {
"InstanceSecGrp": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Instance Security Group",
"SecurityGroupIngress": [{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}],
"SecurityGroupEgress": [{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}],
"VpcId": {
"Ref": "VPCID"
}
}
},
"SingleInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"KeyName": {
"Ref": "KeyName"
},
"ImageId": {
"Ref": "BaseImage"
},
"InstanceType": "t2.micro",
"Monitoring": "false",
"BlockDeviceMappings": [{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": "20",
"VolumeType": "gp2"
}
}],
"NetworkInterfaces": [{
"GroupSet": [{
"Ref": "InstanceSecGrp"
}],
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"DeleteOnTermination": "true",
"SubnetId": {
"Ref": "SubnetID"
}
}],
"UserData": {
"Fn::Base64": {
"Fn::Join": ["", [
"#!/bin/bash -xe\n",
"yum install httpd -y\n",
"sudo sh -c \"echo ",
{ "Fn::ImportValue" : "secretKey" },
" >> /home/ec2-user/mysecret.txt\" \n",
"sudo sh -c \"echo ",
{ "Fn::ImportValue" : "accessKey" },
" >> /home/ec2-user/myaccesskey.txt\" \n"
]]
}
}
}
}
}
}
#!/bin/bash -xe
yum install httpd -y
sudo sh -c "echo hAc7/TJA123143235ASFFgKWkKSjIC4 >> /home/ec2-user/mysecret.txt"
sudo sh -c "echo AKIAQ123456789123D >> /home/ec2-user/myaccesskey.txt"