AWS::SecretsManager::SecretTargetAttachment - AWS CloudFormation
语法属性返回值示例另请参阅
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

AWS::SecretsManager::SecretTargetAttachment

AWS::SecretsManager::SecretTargetAttachment 资源完成 Secrets Manager 密钥和关联的数据库之间的最终关联。这是必需的,因为两者相互依赖。无论先创建哪一项,另一项都尚不存在。要解决该问题,您必须按以下顺序创建资源:

  1. 定义密钥而不引用服务或数据库。您无法引用服务或数据库,因为它尚不存在。

  2. 接下来,定义服务或数据库。包括对密钥的引用,以使用存储的凭证定义数据库的主用户和密码。

  3. 最后,定义一个 SecretTargetAttachment 资源类型,以完成使用所需的数据库引擎类型以及服务或数据库的连接详细信息配置密钥的过程。如果您稍后通过定义 AWS::SecretsManager::RotationSchedule 资源类型以附加一个轮换函数,则此函数需要详细信息。

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

{
  "Type" : "AWS::SecretsManager::SecretTargetAttachment",
  "Properties" : {
      "SecretId" : String,
      "TargetId" : String,
      "TargetType" : String
    }
}

YAML

Type: AWS::SecretsManager::SecretTargetAttachment
Properties: 
  SecretId: String
  TargetId: String
  TargetType: String

属性

SecretId

包含要用于指定的服务或数据库的凭证的密钥的 Amazon 资源名称 (ARN) 或易记名称。要引用也是在该模板中创建的密钥,请使用 Ref 函数以及密钥的逻辑 ID。

必需:是

类型:字符串

Update requires: No interruption

TargetId

在指定的密钥中存储的服务或数据库凭证的 ARN。

必需:是

类型:字符串

最低20

最高2048

Update requires: No interruption

TargetType

定义与密钥关联的服务或数据库的类型的字符串。该值指示 AWS Secrets Manager 如何使用服务或数据库详细信息更新密钥。该值必须是以下内容之一:

  • AWS::RDS::DBInstance

  • AWS::RDS::DBCluster

  • AWS::Redshift::Cluster

  • AWS::DocDB::DBInstance

  • AWS::DocDB::DBCluster

必需:是

类型:字符串

Update requires: No interruption

返回值

Ref

在将 AWS::SecretsManager::SecretTargetAttachement 资源的逻辑 ID 传递给内部 Ref 函数时,该函数返回密钥的 ARN,例如:

arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c

这样,您就可以从堆栈模板的不同部分中的另一个资源的定义中引用您在同一模板的某个部分中创建的密钥。

有关使用 Ref 函数的更多信息,请参阅 Ref

示例

以下示例创建一个密钥,然后将位于密钥中的凭证作为新 AWS 资源主用户和密码以创建 TargetType 定义的 AWS 资源。最后,代码定义 SecretTargetAttachment 对象,以使用 AWS 资源的连接详细信息更新密钥。

支持的 AWS 资源

  • Amazon RDS 上的 Amazon Aurora

  • Amazon RDS 上的 MySQL

  • Amazon RDS 上的 PostgreSQL

  • Amazon RDS 上的 Oracle

  • Amazon RDS 上的 MariaDB

  • Amazon RDS 上的 Microsoft SQL Server

  • Amazon DocumentDB

  • Amazon Redshift

注意

JSON 规范不允许使用任何种类的注释。请参阅 YAML 示例以了解注释。

在 RDS 数据库实例上创建密钥

该示例模板创建 RDS 数据库和密钥。

JSON

{
  "MyRDSSecret": {
    "Type": "AWS::SecretsManager::Secret",
    "Properties": {
      "Description": "This is a Secrets Manager secret for an RDS DB instance",
      "GenerateSecretString": {
        "SecretStringTemplate": "{\"username\": \"admin\"}",
        "GenerateStringKey": "password",
        "PasswordLength": 16,
        "ExcludeCharacters": "\"@/\\"
      }
    }
  },
  "MyRDSInstance": {
    "Type": "AWS::RDS::DBInstance",
    "Properties": {
      "AllocatedStorage": "’20’",
      "DBInstanceClass": "db.t2.micro",
      "Engine": "mysql",
      "MasterUsername": {"Fn::Join": ["", ["{{resolve:secretsmanager:",{"Ref": "MyRDSSecret"},":SecretString:username}}"] ] },
      "MasterUserPassword": {"Fn::Join": ["", ["{{resolve:secretsmanager:",{"Ref": "MyRDSSecret"},":SecretString:password}}"] ] },
      "BackupRetentionPeriod": 0,
      "DBInstanceIdentifier": "rotation-instance"
    }
  },
  "SecretRDSInstanceAttachment": {
    "Type": "AWS::SecretsManager::SecretTargetAttachment",
    "Properties": {
      "SecretId": {"Ref": "MyRDSSecret"},
      "TargetId": {"Ref": "MyRDSInstance"},
      "TargetType": "AWS::RDS::DBInstance"
    }
  }
}

YAML

#This is a Secret resource with a randomly generated password in its SecretString JSON.
  MyRDSSecret:
    Type: "AWS::SecretsManager::Secret"
    Properties:
      Description: "This is a Secrets Manager secret for an RDS DB instance"
      GenerateSecretString:
        SecretStringTemplate: '{"username": "admin"}'
        GenerateStringKey: "password"
        PasswordLength: 16
        ExcludeCharacters: '"@/\'

  # This is an RDS instance resource. The master username and password use dynamic references
  # to resolve values from Secrets Manager. The dynamic reference guarantees that CloudFormation
  # will not log or persist the resolved value. We use a Ref to the secret resource's logical id
  # to construct the dynamic reference, since the secret name is generated by CloudFormation.
  MyRDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      AllocatedStorage: 20
      DBInstanceClass: db.t2.micro
      Engine: mysql
      MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref MyRDSSecret, ':SecretString:username}}' ]]
      MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref MyRDSSecret, ':SecretString:password}}' ]]
      BackupRetentionPeriod: 0
      DBInstanceIdentifier: 'rotation-instance'

  #This is a SecretTargetAttachment resource which updates the referenced Secret resource with properties about
  #the referenced RDS instance
  SecretRDSInstanceAttachment:
    Type: "AWS::SecretsManager::SecretTargetAttachment"
    Properties:
      SecretId: !Ref MyRDSSecret
      TargetId: !Ref MyRDSInstance
      TargetType: AWS::RDS::DBInstance

在 Redshift 集群上创建密钥

该示例模板创建 Redshift 集群数据库和密钥。

JSON

{
      "AWSTemplateFormatVersion": "2010-09-09",
      "Resources": {
        "MyRedshiftSecret": {
          "Type": "AWS::SecretsManager::Secret",
          "Properties": {
            "Description": "This is a Secrets Manager secret for a Redshift cluster",
            "GenerateSecretString": {
              "SecretStringTemplate": "{\"username\": \"admin\"}",
              "GenerateStringKey": "password",
              "PasswordLength": 16,
              "ExcludeCharacters": "\"'@/\\"
            }
          }
        },
        "MyRedshiftCluster": {
          "Type": "AWS::Redshift::Cluster",
          "Properties": {
            "DBName": "myjsondb",
            "MasterUsername": {"Fn::Sub": "{{resolve:secretsmanager:${MyRedshiftSecret}::username}}"},
            "MasterUserPassword": {"Fn::Sub": "{{resolve:secretsmanager:${MyRedshiftSecret}::password}}"},
            "NodeType": "ds2.xlarge",
            "ClusterType": "single-node"
          }
        },
        "SecretRedshiftAttachment": {
          "Type": "AWS::SecretsManager::SecretTargetAttachment",
          "Properties": {
            "SecretId": {"Ref": "MyRedshiftSecret"},
            "TargetId": {"Ref": "MyRedshiftCluster"},
            "TargetType": "AWS::Redshift::Cluster"
          }
        }
      }
    }

使用 YAML 创建 Redshift 集群

YAML

AWSTemplateFormatVersion: 2010-09-09
    Description: "This is an example template to demonstrate CloudFormation resources for Secrets Manager.
    Resources:
      #This is a Secret resource with a randomly generated password in its SecretString JSON.
      MyRedshiftSecret:
        Type: "AWS::SecretsManager::Secret"
        Properties:
          Description: "This is a Secrets Manager secret for an Redshift cluster"
          GenerateSecretString:
            SecretStringTemplate: '{"username": "admin"}'
            GenerateStringKey: "password"
            PasswordLength: 16
            ExcludeCharacters: "\"@'/\\"
     
      # This is a Redshift cluster resource. The master username and password use dynamic references
      # to resolve values from Secrets Manager. The dynamic reference guarantees that CloudFormation
      # will not log or persist the resolved value. We use a Ref to the secret resource's logical id
      # to construct the dynamic reference, since the secret name is generated by CloudFormation.
      MyRedshiftCluster:
        Type: AWS::Redshift::Cluster
        Properties:
          DBName: "myyamldb"
          MasterUsername: !Sub '{{resolve:secretsmanager:${MyRedshiftSecret}::username}}'
          MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyRedshiftSecret}::password}}'
          NodeType: "ds2.xlarge"
          ClusterType: "single-node"
     
      # This is a SecretTargetAttachment resource which updates the referenced Secret resource with properties about
      # the referenced Redshift cluster
      SecretRedshiftAttachment:
        Type: "AWS::SecretsManager::SecretTargetAttachment"
        Properties:
          SecretId: !Ref MyRedshiftSecret
          TargetId: !Ref MyRedshiftCluster
          TargetType: AWS::Redshift::Cluster

另请参阅