Pie*_*i D 5 amazon-web-services aws-cloudformation amazon-cloudwatch aws-secrets-manager
我有一段 cloudFormation 代码
"dareMeXDevCloudwatchMissingPayoutsJob": {
"Type": "AWS::Events::Rule",
"DependsOn": [
"xxx"
],
"Properties": {
"Description": "xxxxx)",
"RoleArn": {
"Fn::GetAtt": [
"xxxxx",
"Arn"
]
},
"Name": "xxxxx",
"ScheduleExpression": "cron(0 8 ? * 6 *)",
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"xxxxxxx",
"Arn"
]
},
"Id": "xxxx",
"Input": "{\"val1\":\"val1\",\"secretVal\":\"??????????????????\"}"
}
]
}
}
我想要完成的事情是将 Secrets Manager 值传递给变量secretVal
我尝试通过将 SecretVal 值设置为 来做到这一点{{resolve:secretsmanager:{arn of secret}:SecretString}},但随后在 cloudWatch 事件上我有 optput 类似{"val1": "val1", "secretVal": "{{resolve:secretsmanager:{arn of secret}:SecretString}}"}
例如,当我尝试将 Name 设置为 时{{resolve:secretsmanager:{arn of secret}:SecretString}},一切都会按预期工作,但对于 Input 则不起作用。我做错了什么吗?或者也许还有其他方法将秘密值传递给 cloudWatch 事件主体?提前致谢!
@RobS 无论如何,这在我的用例中不起作用。目标是使用于处理用户请求的普通 api lambda 也可用于:
-基于固定的cron表达式定期调用
- 被自身调用,但在未来的某个时间点
这个密钥只是对最终用户的保护。当我得到 AWS 的响应时,这可以通过创建子 CloudFormation 堆栈来实现
父堆栈片段
"Resources": {
"MySecretB": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "MySecretForAppA",
"Description": "This secret has a hardcoded password in SecretString (use GenerateSecretString instead)",
"SecretString": "{\"username\":\"MasterUsername\",\"password\":\"secret-password\"}"
}
},
"Test": {
"DependsOn" : "MySecretB",
"Type": "AWS::CloudFormation::Stack",
"Properties": {
"Parameters": {
"Key": {
"Fn::Sub": ["${value1}", {
"value1": "{{resolve:secretsmanager:MySecretForAppA:SecretString:username}}"
}]
}
},
"TemplateURL" : "https://s3.amazonaws.com/mybucketname/childstack.json "
}
}
}
子堆栈片段
"Parameters": {
"Key":{
"Type":"String"
}
},
"Resources": {
"ScheduledRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"ScheduleExpression": "rate(1 minute)",
"Description": "ScheduledRule",
"Targets": [
{
"Arn": "arn:aws:lambda:us-east-1:380574440275:function:LambdaFunction",
"Id": "TargetFunctionV1",
"Input": {"Fn::Sub": "{\"Input\": \"${Key}\"}"}
}
]
}
}
}
就像你所说的passing a secret into a CW event is probably not a good idea,所以我刚刚制作了另一个 lambda 函数,最终用户无法使用它。只能从 cloudWatch 事件中调用它
| 归档时间: |
|
| 查看次数: |
12588 次 |
| 最近记录: |