使用AWS Secrets Manager连接到Postgres数据库

Question

希望使用AWS Secrets管理器登录postgres而不使用用户名和密码作为纯文本。 我不确定这是否可行，如果没有，请原谅我。 目前这是我使用psycopg2登录postgres时使用的：

 import psycopg2

conn = psycopg2.connect(host="hostname",port='5432',database="db", user="admin", password="12345")

我已经在密码管理器中存储了用户名和密码，但不知道如何在这里使用它。 请帮忙

Answer 1

您可以使用控制台将凭据（用户名/密码）存储在SecretsManager中。 您可以将它们存储为键值对，例如 -

{ "username": "admin", "password": "12345" }

要在Python脚本中使用它，您可以执行以下操作 -

session = boto3.session.Session()
client = session.client(
    service_name='secretsmanager',
    region=< region_name >
)
secret = client.get_secret_value(
         SecretId=secret_name
)
secret_dict = json.loads(secret['SecretString'])

username = secret_dict['username']
passw = secret_dict['password']

conn = psycopg2.connect(host="hostname",port='5432',database="db", user=username, password=passw)

请注意，这是一个没有错误处理的简化示例。 您还需要在示例中填写右侧区域来代替<region_name>。

Answer 2

您应该使用以下过程：

1. 连接到AWS秘密管理器。
2. 转换用户名和密码。 您需要以存储在秘密管理器中的方式映射它。
3. 将其存储在变量中并将其传递给连接字符串。

下面是amazon提供的示例python脚本：

import boto3
import base64
from botocore.exceptions import ClientError


def get_secret():

    secret_name = "<<{{MySecretName}}>>"
    region_name = "<<{{MyRegionName}}>>"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )

    # In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
    # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
    # We rethrow the exception by default.

    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
    except ClientError as e:
        if e.response['Error']['Code'] == 'DecryptionFailureException':
            # Secrets Manager can't decrypt the protected secret text using the provided KMS key.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InternalServiceErrorException':
            # An error occurred on the server side.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InvalidParameterException':
            # You provided an invalid value for a parameter.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InvalidRequestException':
            # You provided a parameter value that is not valid for the current state of the resource.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'ResourceNotFoundException':
            # We can't find the resource that you asked for.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
    else:
        # Decrypts secret using the associated KMS CMK.
        # Depending on whether the secret is a string or binary, one of these fields will be populated.
        if 'SecretString' in get_secret_value_response:
            secret = get_secret_value_response['SecretString']
        else:
            decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])

    # Your code goes here.  

Answer 3

在连接中使用秘密值之前，需要从Secrets Manager中检索它们。

AWS提供的参考代码从使用Python的秘密经理获取秘密在这里 。