[英]Retrieve a secret from manager and use it in ec2 cfn-init
I'm trying to use a secret in the cfn-init
of a EC2 instance in CloudFormation. 我正在尝试在
cfn-init
中的EC2实例的cfn-init
中使用秘密。 Based on Secrets Manager Secrets it should not be difficult but what I'm trying is to use it as part of the command, in my case: 基于Secrets Manager的Secrets ,应该不难,但是我要尝试的是在命令中将其用作命令的一部分:
01_login_in_docker:
command: !Join
- ' '
- - 'docker login -u '
- '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} '
- '-p '
- '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} '
- 'cloud.canister.io:5000'
docker-info
is a secret stored in my account and therefore I supposedly only need the name to access to the keys, not the ARN. docker-info
是存储在我帐户中的秘密,因此我应该只需要名称即可访问密钥,而无需ARN。
Reviewing cfn-init.log
I see that CF is not resolving anything: 查看
cfn-init.log
我发现CF无法解决任何问题:
[ERROR] Command 01_login_in_docker (docker login -u {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} -p {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} cloud.canister.io:5000) failed
[ERROR]命令01_login_in_docker(docker登录-u {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} -p {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} cloud.canister.io:5000)失败
Has anyone tried something similar or could spot where is my problem? 有没有人尝试过类似的方法或可以发现我的问题在哪里?
It's not explicitly mentioned, but all the examples use dynamic references as a whole value and not as part of another string. 它没有明确提及,但是所有示例都将动态引用用作整个值,而不是另一个字符串的一部分。 So maybe try passing those as environment variables.
因此,也许尝试将它们作为环境变量传递。 It should be a bit more secure too as the logs won't contain the password in the command.
它也应该更安全一些,因为日志将在命令中不包含密码。
01_login_in_docker:
command: |
docker login -u "$DOCKER_ACCOUNT_USERNAME" -p "$DOCKER_ACCOUNT_PASSWORD" cloud.canister.io:5000
env:
DOCKER_ACCOUNT_USERNAME: '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}}'
DOCKER_ACCOUNT_PASSWORD: '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}}'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.