堆栈内存溢出
  简体   繁体   English

AWS 秘密管理器不允许我为 RDS 只读副本创建秘密

[英]AWS Secret manager does not allow me to create a secret for a RDS read-replica

 原文  2020-08-17 23:46:42       amazon-web-services/ amazon-redshift/ amazon-rds/ aws-secrets-manager

问题描述

I have created a read replica for my production RDS PostgreSQL instance.我为我的生产 RDS PostgreSQL 实例创建了一个只读副本。 I planning to use that read-replica to connect redshift federated queries.我计划使用该只读副本来连接 redshift 联合查询。 The documentation suggests creating a secret but when I go to AWS Secret Manager and try to create a new secret the replica instance is not present.该文档建议创建一个秘密,但是当我 go 到 AWS Secret Manager 并尝试创建一个新的秘密时,副本实例不存在。

I haven't found anything that suggests that the above is not possible.我还没有发现任何迹象表明上述情况是不可能的。 In fact, having a read-replica for federated queries it is a suggested good practice.事实上,为联合查询提供一个只读副本是一种建议的良好做法。 Any ideas?有任何想法吗?

1 个解决方案

解决方案1
 1 已采纳  2020-08-18 00:07:22

The association between secret manager and RDS is based only on the format of a secret value .秘密管理器和 RDS 之间的关联仅基于秘密值的格式 The formats available are here .可用的格式在这里

In console you can do this association only for the primary db instance.在控制台中,您只能为主数据库实例执行此关联。 But using CLI you can do this as well for read-replicas .但是使用CLI ,您也可以为只读副本执行此操作。 It is useful, as read replicas have different endpoint then the primary instance.这很有用,因为只读副本与主实例具有不同的端点

For example, for MySql:例如,对于 MySql:

aws secretsmanager create-secret \
    --name read-replica-secret \
    --secret-string file:///tmp/secret.json

where /tmp/secret.json would be:其中/tmp/secret.json将是:

{
  "engine": "mysql",
  "host": "<required: read replica instance host name/resolvable DNS name>",
  "username": "admin",
  "password": "2PLvZK5Gcuht8qefK5O7",
  "dbname": "testdb",
  "port": "3306"
}

This way, your read-only clients can get full set of credentials from the SM, which includes correct read-endpoint .这样,您的只读客户端可以从 SM 获得全套凭据,其中包括正确的 read-endpoint

But the issue is that you will have two secrets now.但问题是你现在有两个秘密。 One for primary and the other one for reader.一个给小学,另一个给读者。 Which is a management hustle .这是管理的喧嚣 It complicates even more if you want to have automatic rotation.如果你想要自动轮换,它会更加复杂。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 允许秘密管理器中的秘密用于特定 AWS 账户中的所有 lambda 函数 - Allow a secret in secret manager for all lambda functions in a particular AWS account AWS CLI Secrets Manager 创建密钥 - AWS CLI Secrets Manager Create Secret AWS EKS 集群不与 secret manager co.net - AWS EKS cluster does not connets with secret manager Terraform AWS Redshift 和 Secret Manager - Terraform AWS Redshift and Secret Manager 我可以将 RDS Multiple-AZ 与 Read-Replica 一起使用吗? - Can I use RDS Multiple-AZ together with Read-Replica? 如何在 terraform 中从 GCP 秘密管理器读取秘密 - How to read a secret from GCP secret manager in terraform 如何将 AWS 秘密管理器与 Amplify 结合使用 - How to use AWS secret manager with Amplify 如何从 terraform 中的跨区域 AWS Secret Manager 检索机密 - How to retrieve secret from cross region AWS Secret Manager in terraform AWS Secret Manager 秘密检索到云前端模板 YAML - AWS Secret Manager secret retrieval to Cloud front template YAML 在 docker 环境中设置 AWS Secret Manager 值 - Set AWS Secret Manager value in docker environment
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM