stackoom
  简体   繁体   中英

AWS Secret Manager secret retrieval to Cloud front template YAML

 原文  2022-12-08 11:32:39       amazon-web-services/ yaml/ amazon-cloudformation/ aws-secrets-manager

Question

So I'm trying to retrieve secret to use as global variable but so far I have no success...

Globals:
  Function:
    Tracing: Active
    Timeout: 60
    Environment:
      Variables:
AES_KEY: !Ref AesKey

AesKey:
  Type: String
  Default: !Ref 'mysecretarn'

I don't know what I'm doing wrong, I guess it's about the Reference and string type, but it give me an error, that Every default member must be a string

Secret is stored in Secrets Manager as plain text if that helps

Tried different approaches with building with,Sub and ${} within quotes ("") and so on, so far I have not found a solution for this

1 answers

solution1
 0  2023-01-19 16:18:07

I feel your providing an example is a little confusing... But retrieving secrets from AWS secret manager at the cloud formation template, you can do like this

Explanation:

  1. The MasterUsername and MasterUserPassword under Resources: PostgresRDS will get the value which store in the secret manager
  2. The ${EnvType} will get the Value from the Parameters section, here the value will be staging as Default.
  3. The ${AWS::StackName} will be the AWS pseudo parameters. Reference link: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html
Parameters:
  EnvType:
    Description: Environment type.
    Default: staging
    Type: String
  
Resources:
  PostgresRDS:
    Type: AWS::RDS::DBInstance
    DependsOn: RDSDBSubnetGroup
    DeletionPolicy: Delete
    Properties:
      DBInstanceIdentifier: !Join ['-', [!Ref EnvType, 'rds']]
      DBName: !Join ['', [!Ref EnvType, 'Rds']]
      Engine: 'postgres'
      EngineVersion: 13.4
      MasterUsername: !Sub '{{resolve:secretsmanager:${AWS::StackName}-${EnvType}-rs-rds:SecretString:username}}'
      MasterUserPassword: !Sub '{{resolve:secretsmanager:${AWS::StackName}-${EnvType}-rs-rds:SecretString:password}}'
      DBInstanceClass: db.t3.micro
      AllocatedStorage: 20
      StorageType: gp2
      StorageEncrypted: true
      BackupRetentionPeriod: 7
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      MultiAZ:  false     # true
      Port: 5432
      # DeletionProtection: true
      PubliclyAccessible: true
      DBParameterGroupName: !Ref Postgres13ParameterGroup
      VPCSecurityGroups: 
        - !GetAtt RdsSecurityGroup.GroupId
      DBSubnetGroupName: !Ref RDSDBSubnetGroup
      Tags:
        - Key: environment
          Value: !Ref EnvType

Just in case you want to use the AWS CLI to create the aws secret

StackName=111
EnvType=staging
DB_username=admin
DB_password=xxx
# aws secretsmanager create-secret --name $StackName-$EnvType-rs-rds --description "Example for retrieval secret to CFN" --secret-string "{\"username\":\"$DB_username\",\"password\":\"$DB_password\"}"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Terraform AWS Redshift and Secret Manager GCP Cloud Function not mounting latest secret from Secret Manager How to retrieve secret from cross region AWS Secret Manager in terraform Cloud Data Fusion - Secret Manager integration Allow a secret in secret manager for all lambda functions in a particular AWS account Set AWS Secret Manager value in docker environment using aws secret manager with .net core mvc AWS CLI Secrets Manager Create Secret AWS EKS cluster does not connets with secret manager The frequency of loading Secret Manager in Cloud Run
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM