在 aws-cdk 中为 ECS 容器连接 AWS Secrets
[英]Concatenate AWS Secrets in aws-cdk for ECS container
问题描述
how do you go about making a postgres URI connection string from a Credentials.fromGeneratedSecret() call without writing the secrets out using toString() ? 
go 如何从Credentials.fromGeneratedSecret()调用创建 postgres URI 连接字符串而不使用toString()写出秘密?
I think I read somewhere making a lambda that does that, but man that seems kinda overkill-ish我想我在某个地方读到过制作一个 lambda 是这样做的,但是看起来有点矫枉过正
const dbCreds = Credentials.fromGeneratedSecret("postgres")
const username = dbCreds.username
const password = dbCreds.password
const uri = `postgresql://${username}:${password}@somerdurl/mydb?schema=public`
Pretty sure I can't do the above.很确定我不能做上面的事情。 However my hasura and api ECS containers need connection strings like the above, so I figure this is probably a solved thing?但是我的 hasura 和 api ECS 容器需要像上面这样的连接字符串,所以我认为这可能是一个解决的问题?
1 个解决方案
解决方案1
1 2021-08-16 18:14:27
If you want to import a secret that already exists in the Secret's Manager you could just do a lookup of the secret by name or ARN.如果您想要导入 Secret 的管理器中已存在的 Secret,您只需按名称或 ARN 查找 Secret。 Take a look at the documentation referring how to get a value from AWS Secrets Manager .查看有关如何从 AWS Secrets Manager 获取值的文档。
Once you have your secret in the code it is easy to pass it on as an environment variable to your application.一旦您在代码中有了秘密,就很容易将其作为环境变量传递给您的应用程序。 With CDK it is even possible to pass secrets from Secrets Manager or AWS Systems Manager Param Store directly onto the CDK construct.使用 CDK,甚至可以将机密从 Secrets Manager 或 AWS Systems Manager Param Store 直接传递到 CDK 结构上。 One such example would be (as pointed in the documentation):一个这样的例子是(如文档中所指出的):
taskDefinition.addContainer('container', {
image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
memoryLimitMiB: 1024,
environment: { // clear text, not for sensitive data
STAGE: 'prod',
},
environmentFiles: [ // list of environment files hosted either on local disk or S3
ecs.EnvironmentFile.fromAsset('./demo-env-file.env'),
ecs.EnvironmentFile.fromBucket(s3Bucket, 'assets/demo-env-file.env'),
],
secrets: { // Retrieved from AWS Secrets Manager or AWS Systems Manager Parameter Store at container start-up.
SECRET: ecs.Secret.fromSecretsManager(secret),
DB_PASSWORD: ecs.Secret.fromSecretsManager(dbSecret, 'password'), // Reference a specific JSON field, (requires platform version 1.4.0 or later for Fargate tasks)
PARAMETER: ecs.Secret.fromSsmParameter(parameter),
}
});
Overall, in this case, you would not have to do any parsing or printing of the actual secret within the CDK.总的来说,在这种情况下,您不必对 CDK 中的实际秘密进行任何解析或打印。 You can handle all of that processing within you application using properly set environment variables.您可以使用正确设置的环境变量在您的应用程序中处理所有这些处理。
However, only from your question it is not clear what exactly you are trying to do.但是,仅从您的问题来看,尚不清楚您到底想做什么。 Still, the provided resources should get you in the correct direction.不过,所提供的资源应该能让您朝着正确的方向前进。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.