可以通过 AWS 中的 secretmanagerid 检索或刷新密码,密码已按策略每五分钟轮换一次
[英]It´s possible retrive or refresh a password by secretmanagerid in AWS, the password has been rotated by a policy every five minutes
问题描述
well that´s the question, It´s possible to retrieve or refresh a password by secretmanagerid in AWS?, the password has been rotated by a policy every five minutes.
好吧,这就是问题,可以通过 AWS 中的 secretmanagerid 检索或刷新密码吗?密码已按策略每五分钟轮换一次。 I don´t want to restart my microservice to retrieve the pass, I was looking for a solution and I found something like this:我不想重新启动我的微服务来检索通行证,我正在寻找解决方案,但我发现了这样的事情:
<groupId>com.amazonaws.secretsmanager</groupId>
<artifactId>aws-secretsmanager-jdbc</artifactId>
<version>1.0.5</version>
spring:春天:
datasource:数据源:
url: jdbc-secretsmanager:mysql://database-host:3306/rotate_db
username: secret/rotation
driver-class-name: com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver
But I don't want to use the configuration in the application.yml or.properties, I want to keep these values in the parameter store as secrets, currently my code looks like this:但我不想使用 application.yml 或 .properties 中的配置,我想将这些值作为秘密保存在参数存储中,目前我的代码如下所示:
@Bean
public DataSource dataSource() {
AwsSecrets secrets = getSecret();
if(Objects.nonNull(secrets)){
log.info("Getting parameters: host: {}, port: {}, Db: {}, user: {}, pass: {}", secrets.getHost(), secrets.getPort(), secrets.getDatabase(),secrets.getUsername(), secrets.getPassword());
DataSource dataSource = DataSourceBuilder
.create()
.url("jdbc:postgresql://" + secrets.getHost() + ":" + secrets.getPort() + "/" + secrets.getDatabase())
.username(secrets.getUsername())
.password(secrets.getPassword())
.build();
return new TracingDataSource(dataSource);
}
log.debug("Unable to get secrets");
return null;
}
@Bean
public Filter tracingFilter() {
return new AWSXRayServletFilter("back-microservice");
}
private AwsSecrets getSecret() {
AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
.withRegion(amazonRegion)
.withCredentials(dynamoDBConfig.accountAmazonAWSCredentials())
.build();
String secret;
GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
.withSecretId(secretmanagerId);
GetSecretValueResult getSecretValueResult = null;
try {
getSecretValueResult = client.getSecretValue(getSecretValueRequest);
} catch (Exception e) {
log.debug("Unable to get secrets values");
throw e;
}
if (getSecretValueResult.getSecretString() != null) {
secret = getSecretValueResult.getSecretString();
return gson.fromJson(secret, AwsSecrets.class);
}
return null;
}
1 个解决方案
解决方案1
0 2022-12-14 22:43:26
Yes, it's possible to do.是的,这是可能的。 The exact implementation will vary by framework/ORM, but you would need to cache the credentials, but also check if a new password is needed every time a new connection is acquired.确切的实现将因框架/ORM 而异,但您需要缓存凭据,但还需要在每次获取新连接时检查是否需要新密码。
In your code, you are setting the password once statically:在您的代码中,您静态设置了一次密码:
DataSource dataSource = DataSourceBuilder
.create()
.url("jdbc:postgresql://" + secrets.getHost() + ":" + secrets.getPort() + "/" + secrets.getDatabase())
.username(secrets.getUsername())
.password(secrets.getPassword())
.build();
The getPassword() function is only ever called once when you build the datasource and is reused for additional connections from that data source. getPassword()函数只会在您构建数据源时调用一次,并会重复用于来自该数据源的其他连接。 Instead, you need to retrieve (from cache/secretsmanger) every time a connection is created.相反,您需要在每次创建连接时检索(从缓存/secretsmanger)。
AWS provides a java caching client for AWS secretsmanager (clients for other languages are also available). AWS为 AWS secretsmanager 提供了一个 java 缓存客户端(其他语言的客户端也可用)。 You can adapt that into your data source to use that to retrieve the password for every connection .您可以将它调整到您的数据源中,以使用它来检索每个连接的密码。 You can read the official guidance documentation on that here: Rotate database credentials without restarting containers .您可以在此处阅读官方指导文档: Rotate database credentials without restarting containers 。
In the context of Spring, that means implementing this pattern in your data source driver, which is exactly what the com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver class provides.在 Spring 的上下文中,这意味着在您的数据源驱动程序中实现此模式,这正是com.amazonaws.secretsmanager.sql.AWSSecretsManagerMySQLDriver类提供的。 Because you are rotating the secret so often, you probably want to configure the secret cache to refresh more often than the default of 1 hour or adjust your rotation frequency.因为您经常轮换秘密,所以您可能希望将秘密缓存配置为比默认的 1 小时更频繁地刷新或调整您的轮换频率。
If you really need to be rotating the password that often and you're using RDS for your database, you might consider just using IAM-based authentication instead.如果您确实需要经常轮换密码并且您正在为数据库使用 RDS,则可以考虑只使用基于 IAM 的身份验证。 I can't imagine why you would want to have a password that rotates so frequently, keeping in mind you are billed for secret retrieval API calls.我无法想象为什么您想要一个如此频繁轮换的密码,请记住您需要为秘密检索 API 调用付费。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.