Aws lambda 解析Serverless.yml'；s提供程序。来自机密管理器的角色

问题 我使用的是定义所有env属性的serverless.env.yml文件。在CloudFormation运行时，许多环境属性都是直接从secret manager读取/解析的（请参阅下面完整的env.yml文件）。范例

我让它在所有属性上都正常工作

就在最近，我还尝试将lambda执行角色名称移动到一个秘密变量中，并在env文件中引用它，如下所示

lambdaRole:“{{resolve:secretsmanager:${self:provider.deployVersion}\u cph\u cloudwatch\u vpc}}”

我在执行无服务器部署时遇到模板错误。如果我将该值更改为直接使用ARN，如下所示，它将起作用

lambdaRole:arn:aws:iam:：{aws:：AccountId}:role/V1 CPH Cloudwatch VPC

我相信lambda执行角色无法从机密中解析，这与无服务器生成模板的方式有关。在工作的情况下，模板正确设置了角色

“角色”：{“Fn:：Sub”：“arn:aws:iam:：${aws:：AccountId}:Role/V1 CPH Cloudwatch VPC”}，

其中就像我从secret解析角色一样，模板如下所示。我相信这就是AWS CloudFormation中失败的地方，因为它使用的是GetAtt而不是sub或resolve

"Role": {
          "Fn::GetAtt": [
               "{{resolve:secretsmanager:v1_cph_cloudwatch_vpc}}",
               "Arn"
           ]
        },

通过进一步研究，我可以确认这可能与Serverless的模板生成方式有关，因为我手动修改了Serverless生成模板中的角色集，如下所示，然后可以部署函数。

“角色”：“{resolve:secretsmanager:v1\u cph\u cloudwatch\u vpc}”，

你知道这是否会得到支持，或者我是否遗漏了什么吗？也许有一个插件我可以用这个。我可以使用这里提到的无服务器变量 但是我希望secretmanager变量在CloudFormation运行时解析，而不是那些直接进入模板内部的值

命令运行

sls部署--服务--阶段qa--环境部署

控制台输出

{{无服务器：正在验证模板…错误 --------------------------------------------------错误：CloudFormation模板无效：模板错误：的实例 Fn:：GetAtt引用未定义的资源{​

{​解析：secretsmanager:v1_cph_cloudwatch_vpc}​}​ 在 provider.request.catch.error （C:\npm\node\u modules\serverless\lib\plugins\aws\deploy\lib\validateTemplate.js:20:13） 在tryCatcher （C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\util.js:16:23） 承诺。\你从Handler处获得了和解 （C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\promise.js:547:31） 在允诺中 （C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\promise.js:604:18） 在承诺时.\u结算承诺0 （C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\promise.js:649:10） 在承诺中 （C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\promise.js:725:18） at_drainQueueStep （C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\async.js:93:12） at_drainQueue （C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\async.js:86:9） 异步时。\u drainQueues （C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\async.js:102:5） 在Immediate.Async.drainQueues[作为_onImmediate] （C:\npm\node\u modules\serverless\node\u modules\bluebird\js\release\async.js:15:14） 在tryOnImmediate（timers.js:667:5）运行回调（timers.js:696:18） at processImmediate（timers.js:649:5）at process.topLevelDomainCallback（domain.js:121:23）}

Serverless.yml

service: ${self:provider.deployVersion}-cph-${opt:service}

provider:
  name: aws
  endpointType: ${opt:endpoint, 'regional'}
  runtime: nodejs12.x
  region: us-east-1
  memorySize: 128
  timeout: 25
  deployVersion: v1
  versionFunctions: false
  **_role: ${self:custom.env.lambdaRole}_**
  deploymentBucket: ${opt:deploymentBucket, '${ssm:/aws/reference/secretsmanager/${self:provider.deployVersion}_deployment_S3Bucket~true}'}
  vpc: ${self:custom.env.vpc}
  stage: ${opt:stage, 'dev'}
  accessControlAllowOrigin: ${self:custom.env.accessControlAllowOrigin}
  stackTags:
    buildTag: ${opt:buildTag, ' '}
    releaseVersion: ${opt:releaseVersion, ' '}
  environment:
    stage: ${self:provider.stage}
    region: ${self:provider.region}
    cognitoPoolRegion: ${self:provider.region}
    rdsConnectionDialect: ${self:custom.env.rdsConnectionDialect}
    rdsConnectionHost: ${self:custom.env.rdsConnectionHost}
    rdsConnectionDatabase: ${self:custom.env.rdsConnectionDatabase}
    rdsConnectionUsername: ${self:custom.env.rdsConnectionUsername}
    rdsConnectionPassword: ${self:custom.env.rdsConnectionPassword}

plugins:
  - serverless-plugin-typescript
  - serverless-offline
  - serverless-reqvalidator-plugin
  - cph-serverless-aws-models
  - serverless-pseudo-parameters
  - serverless-plugin-bind-deployment-id

functions:
  - ${file(./serverless/${opt:service}.yml):functions}

resources:
  - ${file(./serverless/basePathMapping.yml)}
  - ${file(./serverless/apiGatewayErrorResponses.yml)}
  - ${file(./serverless/apiGatewayValidators.yml)}
  - ${file(./serverless/outputs.yml)}

custom:
  env: ${file(./serverless.env.yml):${opt:env, 'deploy'}}
  webpackIncludeModules: true;
  webpack:
    includeModules:
      forceInclude:
        - pg
        - sequelize
        - sequelize-typescript
  apigwBinary:
    types:
      - "multipart/form-data"
      - "application/pdf"
      - "image/*"
  models: ${file(./serverless/${opt:service}.yml):custom.models}

deploy:
  rdsConnectionDialect: postgres
  _**lambdaRole: "{{resolve:secretsmanager:${self:provider.deployVersion}_cph_cloudwatch_vpc}}"**_
  lambdaAuthorizerARN: arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:${self:provider.deployVersion}-cph-RequestAuthorizer-${self:provider.stage}-authorizerFunc
  domain: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_domainName}}"
  rdsConnectionHost: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseHost}}"
  rdsConnectionDatabase: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseName}}"
  rdsConnectionUsername: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseUserName}}"
  rdsConnectionPassword: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databasePassword}}"
  accessControlAllowOrigin: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_accessControlAllowOrigin}}"
  vpc:
    securityGroupIds:
      - "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_securityGroupIds}}"
    subnetIds:
      - "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_1}}"
      - "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_2}}"
      - "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_3}}"

serverless.env.yml

service: ${self:provider.deployVersion}-cph-${opt:service}

provider:
  name: aws
  endpointType: ${opt:endpoint, 'regional'}
  runtime: nodejs12.x
  region: us-east-1
  memorySize: 128
  timeout: 25
  deployVersion: v1
  versionFunctions: false
  **_role: ${self:custom.env.lambdaRole}_**
  deploymentBucket: ${opt:deploymentBucket, '${ssm:/aws/reference/secretsmanager/${self:provider.deployVersion}_deployment_S3Bucket~true}'}
  vpc: ${self:custom.env.vpc}
  stage: ${opt:stage, 'dev'}
  accessControlAllowOrigin: ${self:custom.env.accessControlAllowOrigin}
  stackTags:
    buildTag: ${opt:buildTag, ' '}
    releaseVersion: ${opt:releaseVersion, ' '}
  environment:
    stage: ${self:provider.stage}
    region: ${self:provider.region}
    cognitoPoolRegion: ${self:provider.region}
    rdsConnectionDialect: ${self:custom.env.rdsConnectionDialect}
    rdsConnectionHost: ${self:custom.env.rdsConnectionHost}
    rdsConnectionDatabase: ${self:custom.env.rdsConnectionDatabase}
    rdsConnectionUsername: ${self:custom.env.rdsConnectionUsername}
    rdsConnectionPassword: ${self:custom.env.rdsConnectionPassword}

plugins:
  - serverless-plugin-typescript
  - serverless-offline
  - serverless-reqvalidator-plugin
  - cph-serverless-aws-models
  - serverless-pseudo-parameters
  - serverless-plugin-bind-deployment-id

functions:
  - ${file(./serverless/${opt:service}.yml):functions}

resources:
  - ${file(./serverless/basePathMapping.yml)}
  - ${file(./serverless/apiGatewayErrorResponses.yml)}
  - ${file(./serverless/apiGatewayValidators.yml)}
  - ${file(./serverless/outputs.yml)}

custom:
  env: ${file(./serverless.env.yml):${opt:env, 'deploy'}}
  webpackIncludeModules: true;
  webpack:
    includeModules:
      forceInclude:
        - pg
        - sequelize
        - sequelize-typescript
  apigwBinary:
    types:
      - "multipart/form-data"
      - "application/pdf"
      - "image/*"
  models: ${file(./serverless/${opt:service}.yml):custom.models}

deploy:
  rdsConnectionDialect: postgres
  _**lambdaRole: "{{resolve:secretsmanager:${self:provider.deployVersion}_cph_cloudwatch_vpc}}"**_
  lambdaAuthorizerARN: arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:${self:provider.deployVersion}-cph-RequestAuthorizer-${self:provider.stage}-authorizerFunc
  domain: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_domainName}}"
  rdsConnectionHost: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseHost}}"
  rdsConnectionDatabase: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseName}}"
  rdsConnectionUsername: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databaseUserName}}"
  rdsConnectionPassword: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_databasePassword}}"
  accessControlAllowOrigin: "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_accessControlAllowOrigin}}"
  vpc:
    securityGroupIds:
      - "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_securityGroupIds}}"
    subnetIds:
      - "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_1}}"
      - "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_2}}"
      - "{{resolve:secretsmanager:${self:provider.deployVersion}_${self:provider.stage}_vpc_subnetIds_3}}"

环境信息--------------------------- 操作系统：win32 节点版本：10.6.0 框架版本：1.56.1 插件版本：3.2.1 SDK版本：2.2.0 组件核心版本：1.1.2 组件CLI版本：1.4.0