AWS Secrets Manager从哪里获得AWS凭证?
[英]Where does AWS Secrets Manager get AWS Credentials?
问题描述
I'm beginning to work with Secrets Manager. 
我开始与Secrets Manager一起工作。
So, I created my first secret in AWS. 因此,我在AWS中创建了我的第一个秘密。 During the process, it gave me some sample code to work with. 在此过程中,它为我提供了一些示例代码。 I put that in a small application and ran it. 我把它放在一个小的应用程序中并运行它。
This is the code: 这是代码:
String region = "us-east-1";
string secret = "";
MemoryStream memoryStream = new MemoryStream();
IAmazonSecretsManager client = new AmazonSecretsManagerClient(RegionEndpoint.GetBySystemName(region));
GetSecretValueRequest request = new GetSecretValueRequest();
request.SecretId = "MySecretNameExample";
GetSecretValueResponse response = null;
response = client.GetSecretValue(request);
The problem is that 1) I was able to successfully retrieve the secret that I created and 2) nowhere am I creating a Credentials object with any valid AWS credential data. 问题在于1)我能够成功检索到我创建的密钥,以及2)在任何地方都无法使用任何有效的AWS凭证数据创建凭证对象。 Where is this code getting the credential information from?? 此代码从何处获取凭证信息?
2 个解决方案
解决方案1
3 已采纳 2018-08-28 22:31:37
The AWS SDK uses the a resolution strategy that looks in a number of locations until it finds credentials it can use. AWS SDK使用一种解决方案策略,该策略会在多个位置进行查找,直到找到可以使用的凭证。 Typically the DefaultProviderChain class is responsible for performing the resolution. 通常, DefaultProviderChain类负责执行解析。 More information is here , but the gist is the lookup is performed in the following order (for Java, other languages are similar): 更多信息在这里 ,但是要点是按以下顺序执行查找(对于Java,其他语言类似):
- environment variables 环境变量
- Java system properties Java系统属性
- credentials file ( eg in the home directory) 凭证文件( 例如 ,在主目录中)
- instance profile credentials (only available when running in AWS) 实例配置文件凭证(仅在AWS中运行时可用)
When you run within AWS infrastructure, you can assign a profile or role to the resource that's running your code. 在AWS基础架构中运行时,您可以为运行代码的资源分配配置文件或角色。 Doing that makes credentials automatically available to your code. 这样做会使凭据自动可用于您的代码。 The idea is that they've made it easy to avoid putting credentials directly into your code. 这样做的目的是使他们避免将凭据直接放入代码中变得容易。
解决方案2
3 2018-08-28 23:16:09
If you refer to the documenation for the API for this line of code: 如果您在以下代码行中引用API的文档:
IAmazonSecretsManager client = new AmazonSecretsManagerClient(
RegionEndpoint.GetBySystemName(region));
AmazonSecretsManagerClient AmazonSecretsManagerClient
You will find the following description: 您将找到以下描述:
Constructs AmazonSecretsManagerClient with the credentials loaded from the application's default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance.
This means that you are either running on an EC2 or ECS service (or related service such as Beanstalk, ...) with a role assigned to the instance or your have configured your credentials in the standard method in a credentials file. 这意味着您正在以分配给实例的角色在EC2或ECS服务(或相关服务,例如Beanstalk等)上运行,或者您已经在凭据文件中的标准方法中配置了凭据。 The AWS SDK is helping you locate credentials. AWS开发工具包正在帮助您查找凭证。
This document link will explain in more detail how AWS credentials are managed and selected. 该文档链接将更详细地说明如何管理和选择AWS凭证。
Working with AWS Credentials 使用AWS凭证
I have seen a lot of developers get the little details wrong with how credentials work and how they are used within the SDKs. 我已经看到很多开发人员在凭据如何工作以及如何在SDK中使用凭据方面犯了一些小错误。 Given that AWS credentials hold the keys to the AWS kingdom, managing and protecting them is vitally important. 鉴于AWS凭证掌握着AWS王国的钥匙,因此管理和保护它们至关重要。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.