Amazon Secrets Manager 密钥的 JSON 结构 - Amazon Secrets Manager
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Secrets Manager 密钥的 JSON 结构

您可以在 Secrets Manager 密钥中存储任何文本或二进制数据。如果要为 Secrets Manager 密钥启用自动轮换,则它必须使用正确的 JSON 结构。在轮替期间,Secrets Manager 会使用密钥中的信息连接到凭证源并更新其中的凭证。JSON 密钥名称区分大小写。

请注意,当您使用控制台来存储某个数据库密钥时,Secrets Manager 会自动以正确的 JSON 结构创建该密钥。

您可以向密钥添加更多键值对(例如在数据库密钥中),以包含其他区域中副本数据库的连接信息。

Amazon RDS Db2 秘密结构

对于 Amazon RDS Db2 实例,由于用户无法更改自己的密码,因此您必须在单独的秘密中提供管理员凭证。

{ "engine": "db2", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS MariaDB 密钥结构

{ "engine": "mariadb", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306> }

要使用轮换策略:交替用户,您需要masterarn为包含管理员或超级用户凭据的密钥添加。

{ "engine": "mariadb", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS 和 Amazon Aurora MySQL 秘密结构

{ "engine": "mysql", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306> }

要使用轮换策略:交替用户,您需要masterarn为包含管理员或超级用户凭据的密钥添加。

{ "engine": "mysql", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 3306>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS Oracle 密钥结构

{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": <optional: TCP port number. If not specified, defaults to 1521> }

要使用轮换策略:交替用户,您需要masterarn为包含管理员或超级用户凭据的密钥添加。

{ "engine": "oracle", "host": "<required: instance host name/resolvable DNS name>", "username": "<required: username>", "password": "<required: password>", "dbname": "<required: database name>", "port": <optional: TCP port number. If not specified, defaults to 1521>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS 和 Amazon Aurora PostgreSQL 秘密结构

{ "engine": "postgres", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'postgres'>", "port": <TCP port number. If not specified, defaults to 5432> }

要使用轮换策略:交替用户,您需要masterarn为包含管理员或超级用户凭据的密钥添加。

{ "engine": "postgres", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'postgres'>", "port": <TCP port number. If not specified, defaults to 5432>, "masterarn": "<the ARN of the elevated secret>" }

Amazon RDS Microsoft SQLServer 密钥结构

{ "engine": "sqlserver", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'master'>", "port": <TCP port number. If not specified, defaults to 1433> }

要使用轮换策略:交替用户,您需要masterarn为包含管理员或超级用户凭据的密钥添加。

{ "engine": "sqlserver", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to 'master'>", "port": <TCP port number. If not specified, defaults to 1433>, "masterarn": "<the ARN of the elevated secret>" }

Amazon DocumentDB 密钥结构

{ "engine": "mongo", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 27017>, "ssl": <true|false. If not specified, defaults to false> }

要使用轮换策略:交替用户,您需要masterarn为包含管理员或超级用户凭据的密钥添加。

{ "engine": "mongo", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 27017>, "masterarn": "<the ARN of the elevated secret>", "ssl": <true|false. If not specified, defaults to false> }

Amazon Redshift 密钥结构

{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 5439> }

要使用轮换策略:交替用户,您需要masterarn为包含管理员或超级用户凭据的密钥添加。

{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "port": <TCP port number. If not specified, defaults to 5439>, "masterarn": "<the ARN of the elevated secret>" }

亚马逊 Redshift 无服务器秘密结构

{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "namespaceName": <namespace name>, "port": <TCP port number. If not specified, defaults to 5439> }

要使用轮换策略:交替用户,您需要masterarn为包含管理员或超级用户凭据的密钥添加。

{ "engine": "redshift", "host": "<instance host name/resolvable DNS name>", "username": "<username>", "password": "<password>", "dbname": "<database name. If not specified, defaults to None>", "namespaceName": <namespace name>, "port": <TCP port number. If not specified, defaults to 5439>, "masterarn": "<the ARN of the elevated secret>" }

亚马逊的 ElastiCache 秘密结构

{ "password": "<password>", "username": "<username>" "user_arn": "ARN of the Amazon EC2 user" }

有关更多信息,请参阅 Amazon 用户指南中的自动轮换 ElastiCache 用户密码

活动目录的秘密结构

Amazon Directory Service 使用密钥存储活动目录凭证。有关更多信息,请参阅《Amazon Directory Service 管理指南》中的 “将 Amazon EC2 Linux 实例无缝加入您的托管 AD 活动目录”。无缝加入域名需要以下示例中的密钥名称。如果您不使用无缝域加入,则可以使用环境变量更改密钥的名称,如轮换函数模板代码中所述。

要轮换 Active Directory 密钥,您可以使用活动目录轮换模板

活动目录凭证秘密结构

{ "awsSeamlessDomainUsername": "<username>", "awsSeamlessDomainPassword": "<password>" }

如果要轮换密钥,则需要包括域名目录 ID。

{ "awsSeamlessDomainDirectoryId": "d-12345abc6e", "awsSeamlessDomainUsername": "<username>", "awsSeamlessDomainPassword": "<password>" }

如果将该密钥与包含密钥表的密钥结合使用,则需要包含密钥表密钥 ARN。

{ "awsSeamlessDomainDirectoryId": "d-12345abc6e", "awsSeamlessDomainUsername": "<username>", "awsSeamlessDomainPassword": "<password>", "directoryServiceSecretVersion": 1, "schemaVersion": "1.0", "keytabArns": [ "<ARN of child keytab secret 1>, "<ARN of child keytab secret 2>, "<ARN of child keytab secret 3>, ], "lastModifiedDateTime": "2021-07-19 17:06:58" }

活动目录密钥表密钥结构

有关使用密钥表文件对 Amazon EC2 上的活动目录账户进行身份验证的信息,请参阅在 Amazon Linux 2 上使用 SQL Server 2017 部署和配置活动目录身份验证

{ "awsSeamlessDomainDirectoryId": "d-12345abc6e", "schemaVersion": "1.0", "name": "< name>", "principals": [ "aduser@MY.EXAMPLE.COM", "MSSQLSvc/test:1433@MY.EXAMPLE.COM" ], "keytabContents": "<keytab>", "parentSecretArn": "<ARN of parent secret>", "lastModifiedDateTime": "2021-07-19 17:06:58" "version": 1 }