堆栈内存溢出
  简体   繁体   English

从管理器检索机密并将其在ec2 cfn-init中使用

[英]Retrieve a secret from manager and use it in ec2 cfn-init

 原文  2019-04-02 21:27:22       amazon-web-services/ amazon-cloudformation

问题描述

I'm trying to use a secret in the cfn-init of a EC2 instance in CloudFormation. 我正在尝试在cfn-init中的EC2实例的cfn-init中使用秘密。 Based on Secrets Manager Secrets it should not be difficult but what I'm trying is to use it as part of the command, in my case: 基于Secrets Manager的Secrets ,应该不难,但是我要尝试的是在命令中将其用作命令的一部分: 

01_login_in_docker:
          command: !Join
            - ' '
            - - 'docker login -u '
              - '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} '
              - '-p '
              - '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} '
              - 'cloud.canister.io:5000'

docker-info is a secret stored in my account and therefore I supposedly only need the name to access to the keys, not the ARN. docker-info是存储在我帐户中的秘密,因此我应该只需要名称即可访问密钥,而无需ARN。

Reviewing cfn-init.log I see that CF is not resolving anything: 查看cfn-init.log我发现CF无法解决任何问题:

[ERROR] Command 01_login_in_docker (docker login -u {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} -p {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} cloud.canister.io:5000) failed [ERROR]命令01_login_in_docker(docker登录-u {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} -p {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} cloud.canister.io:5000)失败

Has anyone tried something similar or could spot where is my problem? 有没有人尝试过类似的方法或可以发现我的问题在哪里?

1 个解决方案

解决方案1
 0  2019-04-02 23:13:34

It's not explicitly mentioned, but all the examples use dynamic references as a whole value and not as part of another string. 它没有明确提及,但是所有示例都将动态引用用作整个值,而不是另一个字符串的一部分。 So maybe try passing those as environment variables. 因此,也许尝试将它们作为环境变量传递。 It should be a bit more secure too as the logs won't contain the password in the command. 它也应该更安全一些,因为日志将在命令中不包含密码。 

    01_login_in_docker:
      command: |
        docker login -u "$DOCKER_ACCOUNT_USERNAME" -p "$DOCKER_ACCOUNT_PASSWORD" cloud.canister.io:5000
      env:
        DOCKER_ACCOUNT_USERNAME: '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}}'
        DOCKER_ACCOUNT_PASSWORD: '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}}'

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在EC2 cfn-init上克隆CodeCommit存储库? - How to clone CodeCommit repo on EC2 cfn-init? CloudFormation cfn-init 在 Ubuntu 基础上中断 AWS::EC2::LaunchTemplate - CloudFormation cfn-init breaking in AWS::EC2::LaunchTemplate on Ubuntu base cfn-init 错误:无法检索远程元数据:无凭据 - cfn-init error: Unable to retrieve remote metadata : No credentials cfn-init for cloudformation launchtemplate - cfn-init for cloudformation launchtemplate 是否需要从UserData调用cfn-init? - Does cfn-init need to be called from UserData? 在新启动的 EC2 实例中自动从 AWS 密钥管理器检索密钥的最佳方法是什么? - What's the best way to automatically retrieve a secret from AWS secrets manager in a newly launched EC2 instance? cfn-init指定自定义json - cfn-init specify custom json 在 CloudFormation cfn-init 中运行 shell 脚本 - Running a shell script in CloudFormation cfn-init Cloudformation CFN-Init Windows Powershell 问题 - Cloudformation CFN-Init Windows Powershell Issue AWS Cloudformation - 使用 cfn-init 安装软件包 - AWS Cloudformation - Installing packages with cfn-init
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM