[英]AWS Secret manager does not allow me to create a secret for a RDS read-replica
I have created a read replica for my production RDS PostgreSQL instance.我为我的生产 RDS PostgreSQL 实例创建了一个只读副本。 I planning to use that read-replica to connect redshift federated queries.
我计划使用该只读副本来连接 redshift 联合查询。 The documentation suggests creating a secret but when I go to AWS Secret Manager and try to create a new secret the replica instance is not present.
该文档建议创建一个秘密,但是当我 go 到 AWS Secret Manager 并尝试创建一个新的秘密时,副本实例不存在。
I haven't found anything that suggests that the above is not possible.我还没有发现任何迹象表明上述情况是不可能的。 In fact, having a read-replica for federated queries it is a suggested good practice.
事实上,为联合查询提供一个只读副本是一种建议的良好做法。 Any ideas?
有任何想法吗?
The association between secret manager and RDS is based only on the format of a secret value .秘密管理器和 RDS 之间的关联仅基于秘密值的格式。 The formats available are here .
可用的格式在这里。
In console you can do this association only for the primary db instance.在控制台中,您只能为主数据库实例执行此关联。 But using CLI you can do this as well for read-replicas .
但是使用CLI ,您也可以为只读副本执行此操作。 It is useful, as read replicas have different endpoint then the primary instance.
这很有用,因为只读副本与主实例具有不同的端点。
For example, for MySql:例如,对于 MySql:
aws secretsmanager create-secret \
--name read-replica-secret \
--secret-string file:///tmp/secret.json
where /tmp/secret.json
would be:其中
/tmp/secret.json
将是:
{
"engine": "mysql",
"host": "<required: read replica instance host name/resolvable DNS name>",
"username": "admin",
"password": "2PLvZK5Gcuht8qefK5O7",
"dbname": "testdb",
"port": "3306"
}
This way, your read-only clients can get full set of credentials from the SM, which includes correct read-endpoint .这样,您的只读客户端可以从 SM 获得全套凭据,其中包括正确的 read-endpoint 。
But the issue is that you will have two secrets now.但问题是你现在有两个秘密。 One for primary and the other one for reader.
一个给小学,另一个给读者。 Which is a management hustle .
这是管理的喧嚣。 It complicates even more if you want to have automatic rotation.
如果你想要自动轮换,它会更加复杂。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.