AWS::SecretsManager::SecretTargetAttachment
AWS::SecretsManager::SecretTargetAttachment
资源完成 Secrets Manager 密钥和关联的数据库之间的最终关联。这是必需的,因为两者相互依赖。无论先创建哪一项,另一项都尚不存在。要解决该问题,您必须按以下顺序创建资源:
-
定义密钥而不引用服务或数据库。您无法引用服务或数据库,因为它尚不存在。
-
接下来,定义服务或数据库。包括对密钥的引用,以使用存储的凭证定义数据库的主用户和密码。
-
最后,定义一个
SecretTargetAttachment
资源类型,以完成使用所需的数据库引擎类型以及服务或数据库的连接详细信息配置密钥的过程。如果您稍后通过定义 AWS::SecretsManager::RotationSchedule 资源类型以附加一个轮换函数,则此函数需要详细信息。
语法
要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:
JSON
{ "Type" : "AWS::SecretsManager::SecretTargetAttachment", "Properties" : { "SecretId" :
String
, "TargetId" :String
, "TargetType" :String
} }
YAML
Type: AWS::SecretsManager::SecretTargetAttachment Properties: SecretId:
String
TargetId:String
TargetType:String
属性
SecretId
-
包含要用于指定的服务或数据库的凭证的密钥的 Amazon 资源名称 (ARN) 或易记名称。要引用也是在该模板中创建的密钥,请使用 Ref 函数以及密钥的逻辑 ID。
必需:是
类型:字符串
Update requires: No interruption
TargetId
-
在指定的密钥中存储的服务或数据库凭证的 ARN。
必需:是
类型:字符串
最低:
20
最高:
2048
Update requires: No interruption
TargetType
-
定义与密钥关联的服务或数据库的类型的字符串。该值指示 AWS Secrets Manager 如何使用服务或数据库详细信息更新密钥。该值必须是以下内容之一:
-
AWS::RDS::DBInstance
-
AWS::RDS::DBCluster
-
AWS::Redshift::Cluster
-
AWS::DocDB::DBInstance
-
AWS::DocDB::DBCluster
必需:是
类型:字符串
Update requires: No interruption
-
返回值
Ref
在将 AWS::SecretsManager::SecretTargetAttachement
资源的逻辑 ID 传递给内部 Ref
函数时,该函数返回密钥的 ARN,例如:
arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c
这样,您就可以从堆栈模板的不同部分中的另一个资源的定义中引用您在同一模板的某个部分中创建的密钥。
有关使用 Ref
函数的更多信息,请参阅 Ref。
示例
以下示例创建一个密钥,然后将位于密钥中的凭证作为新 AWS 资源主用户和密码以创建 TargetType 定义的 AWS 资源。最后,代码定义 SecretTargetAttachment
对象,以使用 AWS 资源的连接详细信息更新密钥。
支持的 AWS 资源
-
Amazon RDS 上的 Amazon Aurora
-
Amazon RDS 上的 MySQL
-
Amazon RDS 上的 PostgresSQL
-
Amazon RDS 上的 Oracle
-
Amazon RDS 上的 MariaDB
-
Amazon RDS 上的 Microsoft SQL Server
-
Amazon DocumentDB
-
Amazon Redshift
JSON 规范不允许使用任何种类的注释。请参阅 YAML 示例以了解注释。
在 RDS 数据库实例上创建密钥
该示例模板创建 RDS 数据库和密钥。
JSON
{ "MyRDSSecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "This is a Secrets Manager secret for an RDS DB instance", "GenerateSecretString": { "SecretStringTemplate": "{\"username\": \"admin\"}", "GenerateStringKey": "password", "PasswordLength": 16, "ExcludeCharacters": "\"@/\\" } } }, "MyRDSInstance": { "Type": "AWS::RDS::DBInstance", "Properties": { "AllocatedStorage": "’20’", "DBInstanceClass": "db.t2.micro", "Engine": "mysql", "MasterUsername": {"Fn::Join": ["", ["{{resolve:secretsmanager:",{"Ref": "MyRDSSecret"},":SecretString:username}}"] ] }, "MasterUserPassword": {"Fn::Join": ["", ["{{resolve:secretsmanager:",{"Ref": "MyRDSSecret"},":SecretString:password}}"] ] }, "BackupRetentionPeriod": 0, "DBInstanceIdentifier": "rotation-instance" } }, "SecretRDSInstanceAttachment": { "Type": "AWS::SecretsManager::SecretTargetAttachment", "Properties": { "SecretId": {"Ref": "MyRDSSecret"}, "TargetId": {"Ref": "MyRDSInstance"}, "TargetType": "AWS::RDS::DBInstance" } } }
YAML
#This is a Secret resource with a randomly generated password in its SecretString JSON. MyRDSSecret: Type: "AWS::SecretsManager::Secret" Properties: Description: "This is a Secrets Manager secret for an RDS DB instance" GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: "password" PasswordLength: 16 ExcludeCharacters: '"@/\' # This is an RDS instance resource. The master username and password use dynamic references # to resolve values from Secrets Manager. The dynamic reference guarantees that CloudFormation # will not log or persist the resolved value. We use a Ref to the secret resource's logical id # to construct the dynamic reference, since the secret name is generated by CloudFormation. MyRDSInstance: Type: AWS::RDS::DBInstance Properties: AllocatedStorage: 20 DBInstanceClass: db.t2.micro Engine: mysql MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref MyRDSSecret, ':SecretString:username}}' ]] MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref MyRDSSecret, ':SecretString:password}}' ]] BackupRetentionPeriod: 0 DBInstanceIdentifier: 'rotation-instance' #This is a SecretTargetAttachment resource which updates the referenced Secret resource with properties about #the referenced RDS instance SecretRDSInstanceAttachment: Type: "AWS::SecretsManager::SecretTargetAttachment" Properties: SecretId: !Ref MyRDSSecret TargetId: !Ref MyRDSInstance TargetType: AWS::RDS::DBInstance
在 Redshift 集群上创建密钥
该示例模板创建 Redshift 集群数据库和密钥。
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "MyRedshiftSecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "This is a Secrets Manager secret for a Redshift cluster", "GenerateSecretString": { "SecretStringTemplate": "{\"username\": \"admin\"}", "GenerateStringKey": "password", "PasswordLength": 16, "ExcludeCharacters": "\"'@/\\" } } }, "MyRedshiftCluster": { "Type": "AWS::Redshift::Cluster", "Properties": { "DBName": "myjsondb", "MasterUsername": {"Fn::Sub": "{{resolve:secretsmanager:${MyRedshiftSecret}::username}}"}, "MasterUserPassword": {"Fn::Sub": "{{resolve:secretsmanager:${MyRedshiftSecret}::password}}"}, "NodeType": "ds2.xlarge", "ClusterType": "single-node" } }, "SecretRedshiftAttachment": { "Type": "AWS::SecretsManager::SecretTargetAttachment", "Properties": { "SecretId": {"Ref": "MyRedshiftSecret"}, "TargetId": {"Ref": "MyRedshiftCluster"}, "TargetType": "AWS::Redshift::Cluster" } } } }
使用 YAML 创建 Redshift 集群
YAML
AWSTemplateFormatVersion: 2010-09-09 Description: "This is an example template to demonstrate CloudFormation resources for Secrets Manager. Resources: #This is a Secret resource with a randomly generated password in its SecretString JSON. MyRedshiftSecret: Type: "AWS::SecretsManager::Secret" Properties: Description: "This is a Secrets Manager secret for an Redshift cluster" GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: "password" PasswordLength: 16 ExcludeCharacters: "\"@'/\\" # This is a Redshift cluster resource. The master username and password use dynamic references # to resolve values from Secrets Manager. The dynamic reference guarantees that CloudFormation # will not log or persist the resolved value. We use a Ref to the secret resource's logical id # to construct the dynamic reference, since the secret name is generated by CloudFormation. MyRedshiftCluster: Type: AWS::Redshift::Cluster Properties: DBName: "myyamldb" MasterUsername: !Sub '{{resolve:secretsmanager:${MyRedshiftSecret}::username}}' MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyRedshiftSecret}::password}}' NodeType: "ds2.xlarge" ClusterType: "single-node" # This is a SecretTargetAttachment resource which updates the referenced Secret resource with properties about # the referenced Redshift cluster SecretRedshiftAttachment: Type: "AWS::SecretsManager::SecretTargetAttachment" Properties: SecretId: !Ref MyRedshiftSecret TargetId: !Ref MyRedshiftCluster TargetType: AWS::Redshift::Cluster