Aws lambda 解析Serverless.yml';s提供程序。来自机密管理器的角色
问题 我使用的是定义所有env属性的serverless.env.yml文件。在CloudFormation运行时,许多环境属性都是直接从secret manager读取/解析的(请参阅下面完整的env.yml文件)。范例 我让它在所有属性上都正常工作 就在最近,我还尝试将lambda执行角色名称移动到一个秘密变量中,并在env文件中引用它,如下所示Aws lambda 解析Serverless.yml';s提供程序。来自机密管理器的角色,aws-lambda,amazon-cloudformation,serverless,aws-secrets-manager,Aws Lambda,Amazon Cloudformation,Serverless,Aws Secrets Manager,问题 我使用的是定义所有env属性的serverless.env.yml文件。在CloudFormation运行时,许多环境属性都是直接从secret manager读取/解析的(请参阅下面完整的env.yml文件)。范例 我让它在所有属性上都正常工作 就在最近,我还尝试将lambda执行角色名称移动到一个秘密变量中,并在env文件中引用它,如下所示 lambdaRole:“{{resolve:secretsmanager:${self:provider.deployVersion}\u cph
lambdaRole:“{{resolve:secretsmanager:${self:provider.deployVersion}\u cph\u cloudwatch\u vpc}}”
我在执行无服务器部署时遇到模板错误。如果我将该值更改为直接使用ARN,如下所示,它将起作用
lambdaRole:arn:aws:iam::{aws::AccountId}:role/V1 CPH Cloudwatch VPC
我相信lambda执行角色无法从机密中解析,这与无服务器生成模板的方式有关。在工作的情况下,模板正确设置了角色
“角色”:{“Fn::Sub”:“arn:aws:iam::${aws::AccountId}:Role/V1 CPH Cloudwatch VPC”},
其中就像我从secret解析角色一样,模板如下所示。我相信这就是AWS CloudFormation中失败的地方,因为它使用的是GetAtt而不是sub或resolve
"Role": {
"Fn::GetAtt": [
"{{resolve:secretsmanager:v1_cph_cloudwatch_vpc}}",
"Arn"
]
},
通过进一步研究,我可以确认这可能与Serverless的模板生成方式有关,因为我手动修改了Serverless生成模板中的角色集,如下所示,然后可以部署函数。
“角色”:“{resolve:secretsmanager:v1\u cph\u cloudwatch\u vpc}”,
你知道这是否会得到支持,或者我是否遗漏了什么吗?也许有一个插件我可以用这个。我可以使用这里提到的无服务器变量
但是我希望secretmanager变量在CloudFormation运行时解析,而不是那些直接进入模板内部的值
命令运行
sls部署--服务--阶段qa--环境部署
控制台输出
{{无服务器:正在验证模板…错误
--------------------------------------------------错误:CloudFormation模板无效:模板错误:的实例
Fn::GetAtt引用未定义的资源{
{解析:secretsmanager:v1_cph_cloudwatch_vpc}} 在
provider.request.catch.error
(C:\npm\node\u modules\serverless\lib\plugins\aws\deploy\lib\validateTemplate.js:20:13)
在tryCatcher
(C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\util.js:16:23)
承诺。\你从Handler处获得了和解
(C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\promise.js:547:31)
在允诺中
(C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\promise.js:604:18)
在承诺时.\u结算承诺0
(C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\promise.js:649:10)
在承诺中
(C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\promise.js:725:18)
at_drainQueueStep
(C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\async.js:93:12)
at_drainQueue
(C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\async.js:86:9)
异步时。\u drainQueues
(C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\async.js:102:5)
在Immediate.Async.drainQueues[作为_onImmediate]
(C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\async.js:15:14)
在tryOnImmediate(timers.js:667:5)运行回调(timers.js:696:18)
at processImmediate(timers.js:649:5)at
process.topLevelDomainCallback(domain.js:121:23)}
Serverless.yml
service: ${self:provider.deployVersion}-cph-${opt:service}
provider:
name: aws
endpointType: ${opt:endpoint, 'regional'}
runtime: nodejs12.x
region: us-east-1
memorySize: 128
timeout: 25
deployVersion: v1
versionFunctions: false
**_role: ${self:custom.env.lambdaRole}_**
deploymentBucket: ${opt:deploymentBucket, '${ssm:/aws/reference/secretsmanager/${self:provider.deployVersion}_deployment_S3Bucket~true}'}
vpc: ${self:custom.env.vpc}
stage: ${opt:stage, 'dev'}
accessControlAllowOrigin: ${self:custom.env.accessControlAllowOrigin}
stackTags:
buildTag: ${opt:buildTag, ' '}
releaseVersion: ${opt:releaseVersion, ' '}
environment:
stage: ${self:provider.stage}
region: ${self:provider.region}
cognitoPoolRegion: ${self:provider.region}
rdsConnectionDialect: ${self:custom.env.rdsConnectionDialect}
rdsConnectionHost: ${self:custom.env.rdsConnectionHost}
rdsConnectionDatabase: ${self:custom.env.rdsConnectionDatabase}
rdsConnectionUsername: ${self:custom.env.rdsConnectionUsername}
rdsConnectionPassword: ${self:custom.env.rdsConnectionPassword}
plugins:
- serverless-plugin-typescript
- serverless-offline
- serverless-reqvalidator-plugin
- cph-serverless-aws-models
- serverless-pseudo-parameters
- serverless-plugin-bind-deployment-id
functions:
- ${file(./serverless/${opt:service}.yml):functions}
resources:
- ${file(./serverless/basePathMapping.yml)}
- ${file(./serverless/apiGatewayErrorResponses.yml)}
- ${file(./serverless/apiGatewayValidators.yml)}
- ${file(./serverless/outputs.yml)}
custom:
env: ${file(./serverless.env.yml):${opt:env, 'deploy'}}
webpackIncludeModules: true;
webpack:
includeModules:
forceInclude:
- pg
- sequelize
- sequelize-typescript
apigwBinary:
types:
- "multipart/form-data"
- "application/pdf"
- "image/*"
models: ${file(./serverless/${opt:service}.yml):custom.models}
deploy:
rdsConnectionDialect: postgres
_**lambdaRole: "{{resolve:secretsmanager:${self:provider.deployVersion}_cph_cloudwatch_vpc}}"**_
lambdaAuthorizerARN: arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:${self:provider.deployVersion}-cph-RequestAuthorizer-${self:provider.stage}-authorizerFunc
domain: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_domainName}}"
rdsConnectionHost: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseHost}}"
rdsConnectionDatabase: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseName}}"
rdsConnectionUsername: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseUserName}}"
rdsConnectionPassword: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databasePassword}}"
accessControlAllowOrigin: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_accessControlAllowOrigin}}"
vpc:
securityGroupIds:
- "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_securityGroupIds}}"
subnetIds:
- "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_1}}"
- "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_2}}"
- "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_3}}"
serverless.env.yml
service: ${self:provider.deployVersion}-cph-${opt:service}
provider:
name: aws
endpointType: ${opt:endpoint, 'regional'}
runtime: nodejs12.x
region: us-east-1
memorySize: 128
timeout: 25
deployVersion: v1
versionFunctions: false
**_role: ${self:custom.env.lambdaRole}_**
deploymentBucket: ${opt:deploymentBucket, '${ssm:/aws/reference/secretsmanager/${self:provider.deployVersion}_deployment_S3Bucket~true}'}
vpc: ${self:custom.env.vpc}
stage: ${opt:stage, 'dev'}
accessControlAllowOrigin: ${self:custom.env.accessControlAllowOrigin}
stackTags:
buildTag: ${opt:buildTag, ' '}
releaseVersion: ${opt:releaseVersion, ' '}
environment:
stage: ${self:provider.stage}
region: ${self:provider.region}
cognitoPoolRegion: ${self:provider.region}
rdsConnectionDialect: ${self:custom.env.rdsConnectionDialect}
rdsConnectionHost: ${self:custom.env.rdsConnectionHost}
rdsConnectionDatabase: ${self:custom.env.rdsConnectionDatabase}
rdsConnectionUsername: ${self:custom.env.rdsConnectionUsername}
rdsConnectionPassword: ${self:custom.env.rdsConnectionPassword}
plugins:
- serverless-plugin-typescript
- serverless-offline
- serverless-reqvalidator-plugin
- cph-serverless-aws-models
- serverless-pseudo-parameters
- serverless-plugin-bind-deployment-id
functions:
- ${file(./serverless/${opt:service}.yml):functions}
resources:
- ${file(./serverless/basePathMapping.yml)}
- ${file(./serverless/apiGatewayErrorResponses.yml)}
- ${file(./serverless/apiGatewayValidators.yml)}
- ${file(./serverless/outputs.yml)}
custom:
env: ${file(./serverless.env.yml):${opt:env, 'deploy'}}
webpackIncludeModules: true;
webpack:
includeModules:
forceInclude:
- pg
- sequelize
- sequelize-typescript
apigwBinary:
types:
- "multipart/form-data"
- "application/pdf"
- "image/*"
models: ${file(./serverless/${opt:service}.yml):custom.models}
deploy:
rdsConnectionDialect: postgres
_**lambdaRole: "{{resolve:secretsmanager:${self:provider.deployVersion}_cph_cloudwatch_vpc}}"**_
lambdaAuthorizerARN: arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:${self:provider.deployVersion}-cph-RequestAuthorizer-${self:provider.stage}-authorizerFunc
domain: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_domainName}}"
rdsConnectionHost: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseHost}}"
rdsConnectionDatabase: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseName}}"
rdsConnectionUsername: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseUserName}}"
rdsConnectionPassword: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databasePassword}}"
accessControlAllowOrigin: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_accessControlAllowOrigin}}"
vpc:
securityGroupIds:
- "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_securityGroupIds}}"
subnetIds:
- "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_1}}"
- "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_2}}"
- "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_3}}"
环境信息---------------------------
操作系统:win32
节点版本:10.6.0
框架版本:1.56.1
插件版本:3.2.1
SDK版本:2.2.0
组件核心版本:1.1.2
组件CLI版本:1.4.0