AWS::SecretsManager::RotationSchedule - AWS CloudFormation
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

AWS::SecretsManager::RotationSchedule

AWS::SecretsManager::RotationSchedule 资源为密钥配置轮换。您必须已使用数据库或服务详细信息配置密钥。如果您同时在 AWS CloudFormation 模板中定义密钥和数据库或服务,请先定义 AWS::SecretsManager::SecretTargetAttachment 资源以使用数据库或服务连接详细信息填充密钥,然后再尝试配置轮换。

重要

在为密钥配置轮换时,AWS CloudFormation 自动轮换一次密钥。在配置轮换之前,确保您将所有客户端配置为使用 Secrets Manager 检索密钥以防止中断。

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

{ "Type" : "AWS::SecretsManager::RotationSchedule", "Properties" : { "RotationLambdaARN" : String, "RotationRules" : RotationRules, "SecretId" : String } }

YAML

Type: AWS::SecretsManager::RotationSchedule Properties: RotationLambdaARN: String RotationRules: RotationRules SecretId: String

属性

RotationLambdaARN

指定可以轮换密钥的 Lambda 函数的 ARN。如果未指定该参数,则密钥必须已配置 Lambda 函数的 ARN。要引用也是在该模板中创建的 Lambda 函数,请使用 Ref 函数以及 Lambda 函数的逻辑 ID。

必需:否

类型:字符串

Update requires: No interruption

RotationRules

指定一个结构以定义该密钥的轮换计划。

必需:否

类型RotationRules

Update requires: No interruption

SecretId

指定您要轮换的密钥的 ARN 或友好名称。要引用也是在该模板中创建的密钥,请使用 Ref 函数以及密钥的逻辑 ID。

必需:是

类型:字符串

Update requires: Replacement

返回值

Ref

在将 AWS::SecretsManager::RotationSchedule 资源的逻辑 ID 传递给内部 Ref 函数时,该函数返回配置的密钥的 ARN,例如:

arn:aws:secretsmanager: us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c

这样,您以后可以从堆栈模板中的另一个资源的定义中引用您在同一模板的某个部分中创建的密钥。通常,您在定义 AWS::SecretsManager::SecretTargetAttachment 资源类型时执行此操作。

有关使用 Ref 函数的更多信息,请参阅 Ref

示例

以下示例显示了创建密钥、创建与该密钥关联的 RDS 数据库实例以及配置轮换的完整示例。此示例说明如何定义 Lambda 轮换函数,附加所需的信任和权限策略,并按定义的计划将该函数与密钥相关联。

RDS 密钥轮换

配置 RDS 数据库密钥轮换

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Resources": { "MyRDSInstanceRotationSecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "A Secrets Manager secret for my RDS DB instance", "GenerateSecretString": { "SecretStringTemplate": "{\"username\": \"admin\"}", "GenerateStringKey": "password", "PasswordLength": 16, "ExcludeCharacters": "\"@/\\" } } }, "SecretRDSInstanceAttachment": { "Type": "AWS::SecretsManager::SecretTargetAttachment", "Properties": { "SecretId": {"Ref": "MyRDSInstanceRotationSecret"}, "TargetId": {"Ref": "MyDBInstance"}, "TargetType": "AWS::RDS::DBInstance" } }, "MyDBInstance": { "Type": "AWS::RDS::DBInstance", "Properties": { "AllocatedStorage": 20, "DBInstanceClass": "db.t2.micro", "Engine": "mysql", "MasterUsername": {"Fn::Sub": "{{resolve:secretsmanager:${MyRDSInstanceRotationSecret}::username}}"}, "MasterUserPassword": {"Fn::Sub": "{{resolve:secretsmanager:${MyRDSInstanceRotationSecret}::password}}"}, "BackupRetentionPeriod": 0 } }, "MySecretRotationSchedule": { "Type": "AWS::SecretsManager::RotationSchedule", "DependsOn": "SecretRDSInstanceAttachment", "Properties": { "SecretId": {"Ref": "MyRDSInstanceRotationSecret"}, "RotationLambdaARN": {"Fn::GetAtt": ["MyRotationServerlessApp","Outputs.RotationLambdaARN"]}, "RotationRules": { "AutomaticallyAfterDays": 30 } } }, "MyRotationServerlessApp": { "Type": "AWS::Serverless::Application", "Properties":{ "Location": { "ApplicationId": "arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser", "SemanticVersion": "1.1.0" }, "Parameters": { "endpoint": {"Fn::Sub": "https://secretsmanager.${AWS::Region}.amazonaws.com"}, "functionName": "SecretsManagerMySQLRotationLambda" } } } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::Serverless-2016-10-31 Description: "This is an example template to demonstrate CloudFormation resources for Secrets Manager" Resources: #This is a Secret resource with a randomly generated password in its SecretString JSON. MyRDSInstanceRotationSecret: Type: AWS::SecretsManager::Secret Properties: Description: 'This is my rds instance secret' GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: 'password' PasswordLength: 16 ExcludeCharacters: '"@/\' Tags: - Key: AppName Value: MyApp #This is an RDS instance resource. Its master username and password use dynamic references to resolve values from #SecretsManager. The dynamic reference guarantees that CloudFormation will not log or persist the resolved value #We sub the Secret resource's logical id in order to construct the dynamic reference, since the Secret's name is being #generated by CloudFormation MyDBInstance: Type: AWS::RDS::DBInstance Properties: AllocatedStorage: 20 DBInstanceClass: db.t2.micro Engine: mysql MasterUsername: !Sub '{{resolve:secretsmanager:${MyRDSInstanceRotationSecret}::username}}' MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyRDSInstanceRotationSecret}::password}}' BackupRetentionPeriod: 0 #This is a SecretTargetAttachment resource which updates the referenced Secret resource with properties about #the referenced RDS instance SecretRDSInstanceAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: !Ref MyRDSInstanceRotationSecret TargetId: !Ref MyDBInstance TargetType: AWS::RDS::DBInstance #This is a RotationSchedule resource. It configures rotation of password for the referenced secret using a rotation lambda #The first rotation happens at resource creation time, with subsequent rotations scheduled according to the rotation rules #We explicitly depend on the SecretTargetAttachment resource being created to ensure that the secret contains all the #information necessary for rotation to succeed MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretRDSInstanceAttachment Properties: SecretId: !Ref MyRDSInstanceRotationSecret RotationLambdaARN: !GetAtt MyRotationServerlessApp.Outputs.RotationLambdaARN RotationRules: AutomaticallyAfterDays: 30 # This is a AWS::Serverless::Application resource. The Location property is hardcoded to use the SecretsManager team's # MySQL single user rotation. The resource creates an IAM role and a Lambda function which uses the role. The Lambda function # is passed as the rotation lambda ref to the RotationSchedule resource MyRotationServerlessApp: Type: AWS::Serverless::Application Properties: Location: ApplicationId: 'arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser' SemanticVersion: 1.1.0 Parameters: endpoint: !Sub 'https://secretsmanager.${AWS::Region}.amazonaws.com' functionName: SecretsManagerMySQLRotationLambda

Redshift 集群密钥轮换示例

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Resources": { "MyRedshiftSecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "This is a Secrets Manager secret for a Redshift cluster", "GenerateSecretString": { "SecretStringTemplate": "{\"username\": \"admin\"}", "GenerateStringKey": "password", "PasswordLength": 16, "ExcludeCharacters": "\"'@/\\" } } }, "MyRedshiftCluster": { "Type": "AWS::Redshift::Cluster", "Properties": { "DBName": "myjsondb", "MasterUsername": {"Fn::Sub": "{{resolve:secretsmanager:${MyRedshiftSecret}::username}}"}, "MasterUserPassword": {"Fn::Sub": "{{resolve:secretsmanager:${MyRedshiftSecret}::password}}"}, "NodeType": "ds2.xlarge", "ClusterType": "single-node" } }, "SecretRedshiftAttachment": { "Type": "AWS::SecretsManager::SecretTargetAttachment", "Properties": { "SecretId": {"Ref": "MyRedshiftSecret"}, "TargetId": {"Ref": "MyRedshiftCluster"}, "TargetType": "AWS::Redshift::Cluster" } }, "MySecretRotationSchedule": { "Type": "AWS::SecretsManager::RotationSchedule", "DependsOn": "SecretRedshiftAttachment", "Properties": { "SecretId": {"Ref": "MyRedshiftSecret"}, "RotationLambdaARN": {"Fn::GetAtt": ["MyRotationServerlessApp","Outputs.RotationLambdaARN"]}, "RotationRules": { "AutomaticallyAfterDays": 30 } } }, "MyRotationServerlessApp": { "Type": "AWS::Serverless::Application", "Properties":{ "Location": { "ApplicationId": "arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRedshiftRotationSingleUser", "SemanticVersion": "1.1.0" }, "Parameters": { "endpoint": {"Fn::Sub": "https://secretsmanager.${AWS::Region}.amazonaws.com"}, "functionName": "SecretsManagerRedshiftRotationLambda" } } } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::Serverless-2016-10-31 Description: "This is an example template to demonstrate CloudFormation resources for Secrets Manager" Resources: #This is a Secret resource with a randomly generated password in its SecretString JSON. MyRedshiftSecret: Type: "AWS::SecretsManager::Secret" Properties: Description: "This is a Secrets Manager secret for an Redshift cluster" GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: "password" PasswordLength: 16 ExcludeCharacters: "\"@'/\\" # This is a Redshift cluster resource. The master username and password use dynamic references # to resolve values from Secrets Manager. The dynamic reference guarantees that CloudFormation # will not log or persist the resolved value. We use a Ref to the secret resource's logical id # to construct the dynamic reference, since the secret name is generated by CloudFormation. MyRedshiftCluster: Type: AWS::Redshift::Cluster Properties: DBName: "myyamldb" MasterUsername: !Sub '{{resolve:secretsmanager:${MyRedshiftSecret}::username}}' MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyRedshiftSecret}::password}}' NodeType: "ds2.xlarge" ClusterType: "single-node" # This is a SecretTargetAttachment resource which updates the referenced Secret resource with properties about # the referenced Redshift cluster SecretRedshiftAttachment: Type: "AWS::SecretsManager::SecretTargetAttachment" Properties: SecretId: !Ref MyRedshiftSecret TargetId: !Ref MyRedshiftCluster TargetType: AWS::Redshift::Cluster #This is a RotationSchedule resource. It configures rotation of password for the referenced secret using a rotation lambda #The first rotation happens at resource creation time, with subsequent rotations scheduled according to the rotation rules #We explicitly depend on the SecretTargetAttachment resource being created to ensure that the secret contains all the #information necessary for rotation to succeed MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretRedshiftAttachment Properties: SecretId: !Ref MyRedshiftSecret RotationLambdaARN: !GetAtt MyRotationServerlessApp.Outputs.RotationLambdaARN RotationRules: AutomaticallyAfterDays: 30 # This is a AWS::Serverless::Application resource. The Location property is hardcoded to use the SecretsManager team's # MySQL single user rotation. The resource creates an IAM role and a Lambda function which uses the role. The Lambda function # is passed as the rotation lambda ref to the RotationSchedule resource MyRotationServerlessApp: Type: AWS::Serverless::Application Properties: Location: ApplicationId: 'arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRedshiftRotationSingleUser' SemanticVersion: 1.1.0 Parameters: endpoint: !Sub 'https://secretsmanager.${AWS::Region}.amazonaws.com' functionName: SecretsManagerRedshiftRotationLambda

DocumentDB 集群密钥轮换示例

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "Resources": { "MyDocDBClusterRotationSecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "A Secrets Manager secret for my DocDB Cluster", "GenerateSecretString": { "SecretStringTemplate": "{\"username\": \"someadmin\"}", "GenerateStringKey": "password", "PasswordLength": 16, "ExcludeCharacters": "\"@/" } } }, "SecretDocDBClusterAttachment": { "Type": "AWS::SecretsManager::SecretTargetAttachment", "Properties": { "SecretId": {"Ref": "MyDocDBClusterRotationSecret"}, "TargetId": {"Ref": "MyDocDBCluster"}, "TargetType": "AWS::DocDB::DBCluster" } }, "MyDocDBCluster": { "Type": "AWS::DocDB::DBCluster", "Properties": { "MasterUsername": {"Fn::Sub": "{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}"}, "MasterUserPassword": {"Fn::Sub": "{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}"}, } }, "MySecretRotationSchedule": { "Type": "AWS::SecretsManager::RotationSchedule", "DependsOn": "SecretDocDBClusterAttachment", "Properties": { "SecretId": {"Ref": "MyDocDBClusterRotationSecret"}, "RotationLambdaARN": {"Fn::GetAtt": ["MyRotationServerlessApp","Outputs.RotationLambdaARN"]}, "RotationRules": { "AutomaticallyAfterDays": 30 } } }, "MyRotationServerlessApp": { "Type": "AWS::Serverless::Application", "Properties":{ "Location": { "ApplicationId": "arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerMongoDBRotationSingleUser", "SemanticVersion": "1.1.0" }, "Parameters": { "endpoint": {"Fn::Sub": "https://secretsmanager.${AWS::Region}.amazonaws.com"}, "functionName": "SecretsManagerDocDBRotationLambda" } } } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::Serverless-2016-10-31 Description: "This is an example template to demonstrate CloudFormation resources for Secrets Manager" Resources: #This is a Secret resource with a randomly generated password in its SecretString JSON. MyDocDBClusterRotationSecret: Type: AWS::SecretsManager::Secret Properties: Description: 'This is my DocDB cluster secret' GenerateSecretString: SecretStringTemplate: '{"username": "someadmin"}' GenerateStringKey: 'password' PasswordLength: 16 ExcludeCharacters: '"@/' Tags: - Key: AppName Value: MyApp #This is an DocDB cluster resource. Its master username and password use dynamic references to resolve values from #SecretsManager. The dynamic reference guarantees that CloudFormation will not log or persist the resolved value #We sub the Secret resource's logical id in order to construct the dynamic reference, since the Secret's name is being #generated by CloudFormation MyDocDBCluster: Type: AWS::DocDB::DBCluster Properties: MasterUsername: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}' MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}' #This is a SecretTargetAttachment resource which updates the referenced Secret resource with properties about #the referenced DocDB cluster SecretDocDBClusterAttachment: Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId: !Ref MyDocDBClusterRotationSecret TargetId: !Ref MyDocDBCluster TargetType: AWS::DocDB::DBCluster #This is a RotationSchedule resource. It configures rotation of password for the referenced secret using a rotation lambda #The first rotation happens at resource creation time, with subsequent rotations scheduled according to the rotation rules #We explicitly depend on the SecretTargetAttachment resource being created to ensure that the secret contains all the #information necessary for rotation to succeed MySecretRotationSchedule: Type: AWS::SecretsManager::RotationSchedule DependsOn: SecretDocDBClusterAttachment Properties: SecretId: !Ref MyDocDBClusterRotationSecret RotationLambdaARN: !GetAtt MyRotationServerlessApp.Outputs.RotationLambdaARN RotationRules: AutomaticallyAfterDays: 30 # This is a AWS::Serverless::Application resource. The Location property is hardcoded to use the SecretsManager team's # MongoDB single user rotation. The resource creates an IAM role and a Lambda function which uses the role. The Lambda function # is passed as the rotation lambda ref to the RotationSchedule resource MyRotationServerlessApp: Type: AWS::Serverless::Application Properties: Location: ApplicationId: 'arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerMongoDBRotationSingleUser' SemanticVersion: 1.1.0 Parameters: endpoint: !Sub 'https://secretsmanager.${AWS::Region}.amazonaws.com' functionName: SecretsManagerDocDBRotationLambda

另请参阅