我有下面的CloudFormation模板,它主要创建一个秘密和一个EC2。我想更改EC2中的一些配置文件,我需要使用用户数据将Secrets中的值放入变量中,但我无法从Secrets获得值。你能帮我查一下吗
AWSTemplateFormatVersion: 2010-09-09
Description: builds secretsManager and ec2
Parameters:
EnvironmentName:
Type: String
SharedVpcID:
Type: AWS::EC2::VPC::Id
SharedPubSubnetID1:
Type: AWS::EC2::Subnet::Id
SharedPubSubnetID2:
Type: AWS::EC2::Subnet::Id
PrivateSubnetId:
Type: AWS::EC2::Subnet::Id
SecretValue:
Type: String
Default: "{{resolve:secretsmanager:${SecretsManager}:SecretString:password}}"
Resources:
SharedVPCDefaultSecurityGroup:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://advanced-artefacts.s3-eu-west-1.amazonaws.com/internal/templates/sg/securitygroup.yaml
Parameters:
EnvironmentName: !Ref EnvironmentName
VPCID: !Ref SharedVpcID
SecretsManager:
Type: AWS::SecretsManager::Secret
Properties:
Description: 'This is my rds instance secret'
GenerateSecretString:
SecretStringTemplate: '{"username": "admin"}'
GenerateStringKey: 'password'
PasswordLength: 16
ExcludeCharacters: '"@/'
WebInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-08b993f76f42xxxxx
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: "0"
GroupSet:
- !GetAtt SharedVPCDefaultSecurityGroup.Outputs.DefaultSecurityGroup
SubnetId: !Ref SharedPubSubnetID1
KeyName: xxx
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
PasswordStr1='{{resolve:secretsmanager:${SecretsManager}:SecretString:password}}'
export $PasswordStr1
sudo echo $PasswordStr1
PasswordStr2={SecretValue}
export $PasswordStr2
sudo echo $PasswordStr2
遗憾的是,这将不起作用。您试图在用户数据中使用secretmanager是一个安全风险,因为它会将您的密码以明文形式留在用户数据中。而且secretmanager动态参数只能在资源的属性中使用。
相反,您应该在用户数据中使用AWS CLI从机密管理器获取机密。这将要求AWS实例角色在执行UserData时具有访问管理器的权限。