Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Secrets Manager 密钥的 JSON 结构
您可以在 Secrets Manager 密钥中存储任何文本或二进制文件,最大大小为 65,536 字节。
如果使用 通过 Lambda 函数进行轮换,则密钥必须包含轮换函数所需的特定 JSON 字段。例如,对于包含数据库凭证的密钥,轮换函数会连接到数据库以更新凭证,因此该密钥必须包含数据库连接信息。
如果使用控制台编辑数据库密钥的轮换,则该密钥必须包含标识数据库的特定 JSON 键值对。Secrets Manager 使用这些字段查询数据库,以查找存储轮换函数的正确 VPC。
JSON 键名称区分大小写。
Amazon RDS 和 Aurora 凭证
要使用 Secrets Manager 提供的轮换函数模板,请使用以下 JSON 结构。您可以添加更多键/值对,例如包含其他区域中的副本数据库的连接信息。
- DB2
-
对于 Amazon RDS Db2 实例,由于用户无法更改自己的密码,因此您必须在单独的秘密中提供管理员凭证。
{
"engine": "db2",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 3306>,
"masterarn": "<ARN of the elevated secret>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- MariaDB
-
{
"engine": "mariadb",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 3306>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- MySQL
-
{
"engine": "mysql",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 3306>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- Oracle
-
{
"engine": "oracle",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name>",
"port": <TCP port number. If not specified, defaults to 1521>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- Postgres
-
{
"engine": "postgres",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to 'postgres'>",
"port": <TCP port number. If not specified, defaults to 5432>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- SQLServer
-
{
"engine": "sqlserver",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to 'master'>",
"port": <TCP port number. If not specified, defaults to 1433>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster.Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
Amazon Redshift 凭证
要使用 Secrets Manager 提供的轮换函数模板,请使用以下 JSON 结构。您可以添加更多键/值对,例如包含其他区域中的副本数据库的连接信息。
{
"engine": "redshift",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"dbClusterIdentifier": "<optional: database ID. Required for configuring rotation in the console.>"
"port": <optional: TCP port number. If not specified, defaults to 5439>
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>"
}
要使用 Secrets Manager 提供的轮换函数模板,请使用以下 JSON 结构。您可以添加更多键/值对,例如包含其他区域中的副本数据库的连接信息。
{
"engine": "redshift",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"namespaceName": "<optional: namespace name, Required for configuring rotation in the console.> "
"port": <optional: TCP port number. If not specified, defaults to 5439>
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>"
}
Amazon DocumentDB 凭证
要使用 Secrets Manager 提供的轮换函数模板,请使用以下 JSON 结构。您可以添加更多键/值对,例如包含其他区域中的副本数据库的连接信息。
{
"engine": "mongo",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 27017>,
"ssl": <true|false. If not specified, defaults to false>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbClusterIdentifier": "<optional: database cluster ID. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
"dbInstanceIdentifier": "<optional: database instance ID. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>"
}
Amazon Timestream for InfluxDB 密钥结构
要轮换 Timestream 密钥,您可以使用 Amazon Timestream for InfluxDB 轮换模板。
有关更多信息,请参阅《Amazon Timestream 开发人员指南》中的 Amazon Timestream for InfluxDB 如何使用密钥。
Timestream 密钥必须采用正确的 JSON 结构才能使用轮换模板。有关更多信息,请参阅《Amazon Timestream 开发人员指南》中的密钥的内容。
Amazon ElastiCache 凭证
以下示例显示了存储 ElastiCache 凭证的密钥的 JSON 结构。
{
"password": "<password>",
"username": "<username>"
"user_arn": "ARN of the Amazon EC2 user"
}
有关更多信息,请参阅 Amazon 用户指南中的自动轮换 ElastiCache 用户密码。
Active Directory 凭证
Amazon Directory Service 使用密钥存储活动目录凭证。有关更多信息,请参阅《Amazon Directory Service 管理指南》中的将 Amazon EC2 Linux 实例无缝加入您的托管 AD Active Directory。无缝加入域名需要以下示例中的键名称。如果不使用无缝域加入,则可以使用环境变量更改密钥中键的名称,如轮换函数模板代码中所述。
要轮换 Active Directory 密钥,您可以使用 Active Directory 轮换模板。
- Active Directory credential
-
{
"awsSeamlessDomainUsername": "<username>",
"awsSeamlessDomainPassword": "<password>"
}
如果要轮换密钥,请包括域目录 ID。
{
"awsSeamlessDomainDirectoryId": "d-12345abc6e",
"awsSeamlessDomainUsername": "<username>",
"awsSeamlessDomainPassword": "<password>"
}
如果将该密钥与包含密钥表的密钥一起使用,则将该密钥表密钥包括在内。 ARNs
{
"awsSeamlessDomainDirectoryId": "d-12345abc6e",
"awsSeamlessDomainUsername": "<username>",
"awsSeamlessDomainPassword": "<password>",
"directoryServiceSecretVersion": 1,
"schemaVersion": "1.0",
"keytabArns": [
"<ARN of child keytab secret 1>,
"<ARN of child keytab secret 2>,
"<ARN of child keytab secret 3>,
],
"lastModifiedDateTime": "2021-07-19 17:06:58"
}
- Active Directory keytab
-
有关使用密钥表文件对亚马逊上的活动目录账户进行身份验证的信息 EC2,请参阅在 Amazon Linux 2 上使用 SQL Server 2017 部署和配置活动目录身份验证。
{
"awsSeamlessDomainDirectoryId": "d-12345abc6e",
"schemaVersion": "1.0",
"name": "< name>",
"principals": [
"aduser@MY.EXAMPLE.COM",
"MSSQLSvc/test:1433@MY.EXAMPLE.COM"
],
"keytabContents": "<keytab>",
"parentSecretArn": "<ARN of parent secret>",
"lastModifiedDateTime": "2021-07-19 17:06:58"
"version": 1
}