使用 `aws_secretsmanager_secret_policy` 为 AWS Secrets Manager 创建/管理策略有什么好处?
[英]What is the benefit of using `aws_secretsmanager_secret_policy` for creating/managing policy for AWS Secrets manager?
问题描述
In Terraform aws provider, we can use the below to attach a Resource based policy to the secrets manager.
在 Terraform aws提供程序中,我们可以使用以下内容将基于资源的策略附加到机密管理器。
- Create a
aws_iam_policy_documentData resource and attach the same to the secrets manger创建aws_iam_policy_document数据资源并将其附加到机密管理器 - Create policy using
aws_secretsmanager_secret_policyfor a secrets manager.使用aws_secretsmanager_secret_policy为机密管理器创建策略。
I remember the older versions of the provider for eg 2.7 did not had aws_secretsmanager_secret_policy and we had to use the data resource to attach policy to the secrets manager.我记得旧版本的提供程序(例如 2.7)没有aws_secretsmanager_secret_policy ,我们不得不使用数据资源将策略附加到秘密管理器。 Now the latest version supports both.现在最新版本支持两者。
What is the benefit of using the aws_secretsmanager_secret_policy over aws_iam_policy_document and under what conditions we can choose one over the other?使用aws_secretsmanager_secret_policy而不是aws_iam_policy_document有什么好处,在什么条件下我们可以选择其中一个而不是另一个?
2 个解决方案
解决方案1
0 2022-01-25 09:46:37
aws_secretsmanager_secret_policy is to create a resource-based policy , whereas aws_iam_policy_document is for identity-based policy . aws_secretsmanager_secret_policy用于创建基于资源的策略,而aws_iam_policy_document用于基于身份的策略。 There is a number of differences between them as explained in Identity-based policies and resource-based policies .如基于身份的策略和基于资源的策略中所述,它们之间存在许多差异。
The most common scenario where you would use a resource-based policy is for cross-account access to your secret .使用基于resource-based policy的最常见场景是跨账户访问您的 secret 。
解决方案2
0 2022-01-26 14:21:29
I think your actual question is about setting the policy attribute on the aws_secretsmanager_secret resource, versus creating the policy as a separate aws_secretsmanager_secret_policy resource.我认为您的实际问题是关于在aws_secretsmanager_secret资源上设置policy属性,而不是将策略创建为单独的aws_secretsmanager_secret_policy资源。
The main reason you would use aws_secretsmanager_secret_policy instead of setting it directly on the secret resource, is if the secret was created in different Terraform code, or perhaps completely outside of Terraform.您使用aws_secretsmanager_secret_policy而不是直接在秘密资源上设置它的主要原因是,如果秘密是在不同的 Terraform 代码中创建的,或者可能完全在 Terraform 之外创建。 For example if you wanted to create a Terraform template to look up all your AWS secrets, and set a policy on all of them.例如,如果您想创建一个 Terraform 模板来查找您的所有 AWS 机密,并为所有这些机密设置策略。
You can use aws_iam_policy_document with either of these.您可以将aws_iam_policy_document与其中任何一个一起使用。 aws_iam_policy_document is just a way to define IAM policies in Terraform code instead of embedded raw JSON strings. aws_iam_policy_document只是在 Terraform 代码而不是嵌入的原始 JSON 字符串中定义 IAM 策略的一种方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.