我已经设置了一个运行PHP的EC2实例。仅用于测试,该实例位于具有允许所有流量到0.0.0.0/0的安全组的公用子网中。路由表具有到10.0.0.0/16(VPC的CIDR块(的默认本地路由和到位于0.0.0.0/0的互联网网关的路由。与子网相关联的NACL允许所有业务在0.0.0.0/0处进出。我知道这是公开的,但我想确保我遇到的问题与安全组和NACL无关。
我创建了一个Secrets Manager机密MySecret-xxxxx,并使用以下策略将IAM角色附加到该实例,以允许该实例访问机密:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:eu-west-2:xxxxxxxxx:secret:MySecret-xxxxx"
}
]
}
我已经在名为sdks的子文件夹中的实例上安装了AWS SDK for PHP,最后创建了一个"Hello World"index.PHP文件,该文件运行良好,直到我尝试在AWS提供的设置信息的简化版本中运行getSecretValue。这是PHP代码:
<?php
require 'sdks/aws/aws-autoloader.php';
use AwsSecretsManagerSecretsManagerClient;
use AwsExceptionAwsException;
$client = new SecretsManagerClient( [
'profile' => 'default',
'version' => 'latest',
'region' => 'eu-west-2'
] );
$secretName = 'MySecret-xxxxx';
echo '<h1>Hello World</h1>';
$result = $client->getSecretValue([
'SecretId' => $secretName,
]);
?>
一旦我包含了$result = $client->getSecretValue([...代码块,我就会收到一条HTTP ERROR 500错误消息,尽管没有它也能很好地工作。我在CLI上运行了aws secretsmanager get-secret-value --secret-id MySecret-xxxxx --region eu-west-2,它正确地返回了机密详细信息。
终于明白了——尽管我在EC2实例的/home/ec2-user/.aws文件夹中创建了一个凭据文件,但我仍然必须通过SDK检索凭据。为什么这被排除在AWS提供的Secrets Manager示例代码之外,我无法理解。完整的工作代码现在看起来是这样的:
<?php
require 'vendor/autoload.php';
use AwsCredentialsCredentialProvider;
use AwsSecretsManagerSecretsManagerClient;
use AwsExceptionAwsException;
$provider = CredentialProvider::defaultProvider();
$client = new SecretsManagerClient( [
'credentials' => $provider,
'version' => 'latest',
'region' => 'eu-west-2'
] );
$secretName = 'MySecret-xxxxx';
try {
$result = $client->getSecretValue( [
'SecretId' => $secretName,
] );
} catch ( AwsException $e ) {
$error = $e->getAwsErrorCode();
if ( $error == 'DecryptionFailureException' ) { // Can't decrypt the protected secret text using the provided AWS KMS key.
throw $e;
}
if ( $error == 'InternalServiceErrorException' ) { // An error occurred on the server side.
throw $e;
}
if ( $error == 'InvalidParameterException' ) { // Invalid parameter value.
throw $e;
}
if ( $error == 'InvalidRequestException' ) { // Parameter value is not valid for the current state of the resource.
throw $e;
}
if ( $error == 'ResourceNotFoundException' ) { // Requested resource not found
throw $e;
}
}
// Decrypts secret using the associated KMS CMK, depends on whether the secret is a string or binary.
if ( isset( $result[ 'SecretString' ] ) ) {
$secret = $result[ 'SecretString' ];
} else {
$secret = base64_decode( $result[ 'SecretBinary' ] );
}
// Decode the secret json
$secrets = json_decode( $secret, true );
echo( '<p>hostname/ipaddress: ' . $secrets[ 'host' ] . '</p><p>username: ' . $secrets[ 'username' ] . '</p><p>password: ' . $secrets[ 'password' ] . '</p><p>dbname: ' . $secrets[ 'dbname' ] . '</p>' );