Bri*_*son 5 typescript aws-secrets-manager aws-cdk
我正在使用aws-cdk-lib(2.13.0)。这是我的代码片段:
import { App, Stack } from \'aws-cdk-lib\';\nimport { Secret } from \'aws-cdk-lib/aws-secretsmanager\';\n\nexport class CognitoStack extends Stack {\n constructor(scope: App) {\n super(scope, \'cognito\');\n\n const secret = this.getSecret(\'google\');\n console.log({ secret });\n }\n\n public getSecret(path: string) {\n const secret = Secret.fromSecretNameV2(this, `Secret${path}`, path);\n console.log({ path, secret, secretArn: secret.secretArn, string: secret.secretValue.toString() });\n return secret.secretValue.toJSON();\n }\n}\n生成的日志如下所示:
\nimport { App, Stack } from \'aws-cdk-lib\';\nimport { Secret } from \'aws-cdk-lib/aws-secretsmanager\';\n\nexport class CognitoStack extends Stack {\n constructor(scope: App) {\n super(scope, \'cognito\');\n\n const secret = this.getSecret(\'google\');\n console.log({ secret });\n }\n\n public getSecret(path: string) {\n const secret = Secret.fromSecretNameV2(this, `Secret${path}`, path);\n console.log({ path, secret, secretArn: secret.secretArn, string: secret.secretValue.toString() });\n return secret.secretValue.toJSON();\n }\n}\n结果npx cdk diff sandbox-cognito如下所示:
Stack sandbox-cognito\nResources\n[~] AWS::Cognito::UserPoolIdentityProvider Google GoogleAF1E99FA\n \xe2\x94\x94\xe2\x94\x80 [~] ProviderDetails\n \xe2\x94\x9c\xe2\x94\x80 [-] Removed: .client_id\n \xe2\x94\x94\xe2\x94\x80 [-] Removed: .client_secret\n这意味着它正在删除我能够手动设置的 client_id/client_secret 。现在我正在尝试从秘密加载值,但它不起作用。
\n问题是我无法解析 JSON(请注意<unresolved-token>日志中的 。我认为它尚未解决,但我不确定如何解析...它正在尝试解析此字符串文字:${Token[TOKEN.333]},而不是秘密值的值。如何获得秘密字符串的结果?
将现有密钥导入为SecretValue。clientSecret:string使用该方法将其传递给prop .toString()。
// Existing secret as SecretValue. Or use Secret.fromSecretNameV2.
const secretVal = cdk.SecretValue.secretsManager('GoogleSecrets', {
jsonField: 'client-secret',
});
new cognito.UserPoolIdentityProviderGoogle(this, 'GoogleProvider', {
userPool,
// creates a dynamic reference which resolves to the actual secret value at deploy-time
clientSecret: secretVal.toString(),
clientId: 'my-id',
});
SecretValue.toString()在生命周期中“解析”为不同的值:当你console.log这样做时,你会得到一个(无用的)不透明占位符令牌值,例如${Token[TOKEN.198]}。在合成时 CDK在模板中呈现 CloudFormation动态引用:
//my-stack.template.json
{"client_secret": "{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:123456789012:secret:GoogleSecrets:SecretString:client-secret::}}"}
在部署时,CloudFormation从动态引用中“解析”实际秘密值。
重要的一点是,实际的秘密值永远不会暴露给您的本地环境或模板制品。
| 归档时间: |
|
| 查看次数: |
6550 次 |
| 最近记录: |