Authentication 如何使用CloudFormation在EC2实例启动时复制文件并添加动态内容?
我需要使用CloudFormation在启动时将来自secretsmanager的cert文件的内容复制到EC2实例中 编辑: 我在代码中添加了IAM角色、策略和InstanceProfile,以确保可以使用UserData访问SecretsManager值 代码如下所示:Authentication 如何使用CloudFormation在EC2实例启动时复制文件并添加动态内容?,authentication,amazon-cloudformation,Authentication,Amazon Cloudformation,我需要使用CloudFormation在启动时将来自secretsmanager的cert文件的内容复制到EC2实例中 编辑: 我在代码中添加了IAM角色、策略和InstanceProfile,以确保可以使用UserData访问SecretsManager值 代码如下所示: SecretsManagerAccessRole: Type: AWS::IAM::Role Properties: RoleName: CloudFormationSecretsManagerAccessRole
SecretsManagerAccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: CloudFormationSecretsManagerAccessRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: sts:AssumeRole
Path: "/"
SecretsManagerInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles: [ !Ref SecretsManagerAccessRole ]
SecretsManagerInstancePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: SecretsManagerAccessPolicy,
PolicyDocument:
Statement:
- Effect: Allow
Action: secretsmanager:GetSecretValue
Resource: <arn-of-the-secret>
Roles: [ !Ref SecretsManagerAccessRole ]
LinuxEC2Instance:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile: !Ref SecretsManagerInstanceProfile
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum update -y
groupadd -g 110 ansible
adduser ansible -g ansible
mkdir -p /home/ansible/.ssh
chmod 700 /home/ansible/.ssh
aws secretsmanager get-secret-value \
--secret-id <arn-of-the-secret> \
--region ${AWS::Region} \
--query 'SecretString' \
--output text > /home/ansible/.ssh/authorized_keys
chmod 000644 /home/ansible/.ssh/authorized_keys
chown -R ansible.ansible /home/ansible/.ssh/
cat /home/ansible/.ssh/authorized_keys
SecretsManagerAccessRole:
类型:AWS::IAM::角色
特性:
RoleName:CloudFormationSecretsManager访问角色
假设政策文件:
版本:'2012-10-17'
声明:
-效果:允许
负责人:
AWS:!子arn:aws:iam:${aws::AccountId}:root
行动:sts:假设角色
路径:“/”
SecretsManager管理员档案:
类型:AWS::IAM::InstanceProfile
特性:
路径:“/”
角色:[!Ref SecretsManagerAccessRole]
秘书长管理政策:
类型:AWS::IAM::策略
特性:
策略名称:SecretsManagerAccessPolicy,
政策文件:
声明:
-效果:允许
操作:secretsmanager:GetSecretValue
资源:
角色:[!Ref SecretsManagerAccessRole]
Linuxec2实例:
类型:AWS::EC2::实例
特性:
IAMSInstanceProfile:!Ref SecretsManagerInstanceProfile
用户数据:
Fn::Base64:!潜艇|
#!/bin/bash-xe
yum更新-y
groupadd-g 110 ansible
adduser ansible-g ansible
mkdir-p/home/ansible/.ssh
chmod 700/home/ansible/.ssh
aws secretsmanager获取秘密值\
--秘密身份证\
--区域${AWS::region}\
--查询“SecretString”\
--输出文本>/home/ansible/.ssh/authorized\u key
chmod 000644/home/ansible/.ssh/authorized_key
chown-R ansible.ansible/home/ansible/.ssh/
cat/home/ansible/.ssh/authorized_密钥
在实例启动期间,我在这里遇到了以下问题:
找不到凭据。您可以通过运行“aws配置”来配置凭据
用户似乎没有获得在UserData中执行此操作所需的角色?为什么呢?我尝试了几件事,但都失败了。唯一有效的方法是使用
UserData
例如,您可以具有以下内容:
LinuxEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-08f3d892de259504d # AL2 in us-east-1
InstanceType: t2.micro
IamInstanceProfile: <name-of-instance-profile>
KeyName: MyKeyPair
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum update -y
groupadd -g 110 ansible
adduser ansible -g ansible
mkdir -p /home/ansible/.ssh
chmod 700 /home/ansible/.ssh
secret_value=$(aws secretsmanager get-secret-value \
--secret-id <arn-of-the-secret> \
--region ${AWS::Region} \
--query 'SecretString' \
--output text)
# have to check the exact command here of jq
echo ${!secret_value} | jq -r '.key' > /home/ansible/.ssh/authorized_keys
chmod 000644 /home/ansible/.ssh/authorized_keys
chown -R ansible.ansible /home/ansible/.ssh/
Linuxec2实例:
类型:AWS::EC2::实例
特性:
ImageId:ami-08f3d892de259504d#AL2在美国东部-1
实例类型:t2.micro
IAMSInstanceProfile:
关键字名称:MyKeyPair
用户数据:
Fn::Base64:!潜艇|
#!/bin/bash-xe
yum更新-y
groupadd-g 110 ansible
adduser ansible-g ansible
mkdir-p/home/ansible/.ssh
chmod 700/home/ansible/.ssh
机密值=$(aws secretsmanager获取机密值\
--秘密身份证\
--区域${AWS::region}\
--查询“SecretString”\
--输出文本)
#必须检查jq的确切命令
echo${!secret_value}jq-r'.key'>/home/ansible/.ssh/authorized_key
chmod 000644/home/ansible/.ssh/authorized_key
chown-R ansible.ansible/home/ansible/.ssh/
您还需要向实例添加一个实例角色/配置文件
这样它就能读懂秘密。该角色可以包含以下内容
政策:
{
“版本”:“2012-10-17”,
“声明”:[
{
“Sid”:“ReadSecretValue”,
“效果”:“允许”,
“操作”:“secretsmanager:GetSecretValue”,
“资源”:”
}
]
}
编辑:
如果您KMS用于加密机密,那么实例角色也需要拥有KMS的权限。好的,我已经开始工作了,这是完整的答案,下面的代码对我有效,此外,我需要在权限中添加“KMS:GenerateDataKey”、“KMS:Decrypt”以正确检索机密,最后,我需要使用jq从secrets manager获取的JSON格式中检索值:
CFNInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref CFNAccessRole
CFNAccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: CFNAccessRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
Path: /
CFNInstancePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: SecretsManagerAccessPolicy,
PolicyDocument:
Statement:
- Effect: Allow
Action: ['secretsmanager:GetSecretValue', 'kms:GenerateDataKey', 'kms:Decrypt']
Resource: '*'
Roles:
- !Ref CFNAccessRole
# EC2 Instance creation
LinuxEC2Instance:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile: !Ref CFNInstanceProfile
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum update -y
groupadd -g 110 ansible
adduser ansible -g ansible
mkdir -p /home/ansible/.ssh
chmod 700 /home/ansible/.ssh
aws secretsmanager get-secret-value \
--secret-id <arn-of-the-secret> \
--region ${AWS::Region} \
--query 'SecretString' \
--output text | jq -r ".key" > /home/ansible/.ssh/authorized_keys
chmod 000644 /home/ansible/.ssh/authorized_keys
chown -R ansible.ansible /home/ansible/.ssh/
cat /home/ansible/.ssh/authorized_keys
CFNInstanceProfile:
类型:AWS::IAM::InstanceProfile
特性:
路径:/
角色:
- !Ref CFNAccessRole
CFNAccessRole:
类型:AWS::IAM::角色
特性:
角色名称:CFNAccessRole
假设政策文件:
版本:2012-10-17
声明:
-效果:允许
负责人:
服务:ec2.amazonaws.com
行动:sts:假设角色
路径:/
CFN临时政策:
类型:AWS::IAM::策略
特性:
策略名称:SecretsManagerAccessPolicy,
政策文件:
声明:
-效果:允许
操作:['secretsmanager:GetSecretValue','kms:GenerateDataKey','kms:Decrypt']
资源:'*'
角色:
- !Ref CFNAccessRole
#EC2实例创建
Linuxec2实例:
类型:AWS::EC2::实例
特性:
IAMSInstanceProfile:!参考CFNInstanceProfile
用户数据:
Fn::Base64:!潜艇|
#!/bin/bash-xe
yum更新-y
groupadd-g 110 ansible
adduser ansible-g ansible
mkdir-p/home/ansible/.ssh
chmod 700/home/ansible/.ssh
aws secretsmanager获取秘密值\
--秘密身份证\
--区域${AWS::region}\
--查询“SecretString”\
--输出文本| jq-r.key“>/home/ansible/.ssh/authorized_keys
chmod 000644/home/ansible/.ssh/authorized_key
chown-R ansible.ansible/home/ansible/.ssh/
cat/home/ansible/.ssh/authorized_密钥
请尝试删除空格:{{resolve:secretsmanager
->{code>{resolve:secretsmanager。嘿!谢谢这很有帮助!我编辑了我的代码并添加了所需的角色,但它似乎对执行操作没有任何影响,我得到了编辑的代码中描述的问题text@Benny我明白了,你也有加密
CFNInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref CFNAccessRole
CFNAccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: CFNAccessRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
Path: /
CFNInstancePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: SecretsManagerAccessPolicy,
PolicyDocument:
Statement:
- Effect: Allow
Action: ['secretsmanager:GetSecretValue', 'kms:GenerateDataKey', 'kms:Decrypt']
Resource: '*'
Roles:
- !Ref CFNAccessRole
# EC2 Instance creation
LinuxEC2Instance:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile: !Ref CFNInstanceProfile
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum update -y
groupadd -g 110 ansible
adduser ansible -g ansible
mkdir -p /home/ansible/.ssh
chmod 700 /home/ansible/.ssh
aws secretsmanager get-secret-value \
--secret-id <arn-of-the-secret> \
--region ${AWS::Region} \
--query 'SecretString' \
--output text | jq -r ".key" > /home/ansible/.ssh/authorized_keys
chmod 000644 /home/ansible/.ssh/authorized_keys
chown -R ansible.ansible /home/ansible/.ssh/
cat /home/ansible/.ssh/authorized_keys