Fatal编程技术网

Amazon cloudformation 使用AWS机密管理器';云层形成的秘密

amazon-cloudformation

Amazon cloudformation 使用AWS机密管理器';云层形成的秘密,amazon-cloudformation,aws-secrets-manager,Amazon Cloudformation,Aws Secrets Manager,我想将只读用户的密码导出到EC2实例。如何访问UserData中创建的密码 Resources: ReadOnlyUserCredentials: Type: AWS::SecretsManager::Secret Properties: Name: !Sub "${AWS::StackName}/readonly-user-credentials" GenerateSecretString: SecretStrin

我想将只读用户的密码导出到EC2实例。如何访问UserData中创建的密码

Resources:
  ReadOnlyUserCredentials:
      Type: AWS::SecretsManager::Secret
      Properties:
        Name: !Sub "${AWS::StackName}/readonly-user-credentials"
        GenerateSecretString:
          SecretStringTemplate: '{"username": "read_only_user"}'
          GenerateStringKey: 'password'
          PasswordLength: 16
          ExcludeCharacters: '"@/\'
  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-a4c7edb2
      InstanceType: t2.micro
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          echo "${!Join ['', ['{{resolve:secretsmanager:', !Ref ReadOnlyUserCredentials, ':SecretString:password}}' ]]}" > password
我试着用这个!加入,但这当然不起作用。我真的很感激这里的任何帮助

更新:

      UserData:
        Fn::Base64:
         Fn::Sub:
          - |
            echo ${PasswordStr} > password
          - PasswordStr: !Join ['', ['{{resolve:secretsmanager:', !Ref ReadOnlyUserCredentials, ':SecretString:password}}' ]]
通过如上所示更改代码,我确实获得了解析字符串,但它没有给我实际的密码。如何解析arn以获取普通密码?

您可能不希望CFN在用户数据中扩展您的秘密,因为密码将嵌入在EC2控制台中可见的base64编码用户数据脚本中

相反,您应该利用以下事实:您有一个在主机上执行的脚本,并在脚本执行时调用secrets manager(警告,未测试):

这和大卫不一样吗,你说得对。通过使用上面的链接,我能够传递变量。是否仍然可以访问cloudformation中的密码,
!Join['',['{resolve:secretsmanager:',!Ref ReadOnlyUserCredentials':SecretString:password}}']
只是提供解析程序字符串。如何获取实际密码?我尝试了此方法,但是,这假设您在实例内部设置了访问凭据,以便使用aws cli执行操作…是的,您需要使用设置实例访问密码的权限。你可以在前面的问题答案中找到更多细节。 
Resources:
  ReadOnlyUserCredentials:
      Type: AWS::SecretsManager::Secret
      Properties:
        Name: !Sub "${AWS::StackName}/readonly-user-credentials"
        GenerateSecretString:
          SecretStringTemplate: '{"username": "read_only_user"}'
          GenerateStringKey: 'password'
          PasswordLength: 16
          ExcludeCharacters: '"@/\'
  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-a4c7edb2
      InstanceType: t2.micro
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          yum update -y
          yum install -y jq
          aws --region ${AWS::Region} secretsmanager get-secret-value --secret-id !Ref ReadOnlyUserCredentials --query SecretString --output text | jq -r .password > password