[英]CloudFormation: Dynamic reference to SecretManager value not working for Resource's Tag Property
I want to store a secret in AWS secrets manager and retrieve it in a CloudFormation template.我想在 AWS 机密管理器中存储机密并在 CloudFormation 模板中检索它。 To test it I just put it in the value of a tag -为了测试它,我只是把它放在一个标签的值中——
MainRouteTable:
Properties:
Tags:
- Key: Environment
Value: LIVE
- Key: Name
Value: '{{resolve:secretsmanager:tvs:SecretString:testname}}'
VpcId: !Ref 'VPC'
Type: AWS::EC2::RouteTable
After I run the CloudFormation using the template and the environment is up, the value for the tag "Name" is "{{resolve:secretsmanager:tvs:SecretString:testname}}" and not the actual secret stored in testname.在我使用模板运行 CloudFormation 并且环境启动后,标签“Name”的值是“{{resolve:secretsmanager:tvs:SecretString:testname}}”,而不是存储在 testname 中的实际秘密。
I have looked all around and can not figure out what is wrong.我环顾四周,无法弄清楚出了什么问题。 According to the AWS docs I am doing it properly.根据 AWS 文档,我做得很好。
I can retrieve the secret fine from the CLI -我可以从 CLI 中检索到秘密罚款 -
aws secretsmanager --region us-east-1 get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:xxxxxx:secret:tvs-ZVTiDO --query SecretString --output text | jq -r .testname
Any suggestions?有什么建议么?
I followed the instructions here - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager我按照此处的说明操作 - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager
SecretString
can only be used in few resources and selected properties. SecretString
只能在少数资源和选定属性中使用。 Tags are not supported .不支持标签。 The supported list is: 支持的列表是:
AWS::DirectoryService::MicrosoftAD Password
AWS::DirectoryService::SimpleAD Password
AWS::ElastiCache::ReplicationGroup AuthToken
AWS::IAM::User LoginProfile Password
AWS::KinesisFirehose::DeliveryStream
RedshiftDestinationConfiguration Password
AWS::OpsWorks::App Source Password
AWS::OpsWorks::Stack CustomCookbooksSource Password
AWS::OpsWorks::Stack RdsDbInstances DbPassword
AWS::RDS::DBCluster MasterUserPassword
AWS::RDS::DBInstance MasterUserPassword
AWS::Redshift::Cluster MasterUserPassword
as a general rule, secrets will never display in AWS console, eg you can't use the im CloudFormation export, tags ect.作为一般规则,机密永远不会显示在 AWS 控制台中,例如,您不能使用 im CloudFormation 导出、标签等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.