小贝子编程

如何通过 AWS 参数存储 Spring 属性源的 Java 属性公开 AWS 凭证



来自文档: http://cloud.spring.io/spring-cloud-static/spring-cloud-aws/2.0.0.RC2/single/spring-cloud-aws.html#_parameter_store_configuration_credentials_and_region_configuration

参数存储配置支持使用引导上下文来配置默认的 AWSSimpleSystemsManagement 客户端,该客户端使用 com.amazonaws.auth.DefaultAWSCredentialsProviderChain 和 com.amazonaws.regions.DefaultAwsRegionProviderChain

提供程序链的文档:https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

我希望避免使用环境变量或命令行属性,因为它们很有可能会泄漏到生产中的某个地方的日志中。我看到的最佳选择是使用 .properties 文件。根据第一个链接,由于模块是在引导上下文中加载的,因此我想"Spring"的方法是将这些属性包含在bootstrap.properties文件中(根据spring-cloud文档:https://cloud.spring.io/spring-cloud-static/spring-cloud.html#_the_bootstrap_application_context(

所以我的项目看起来像这样:

/src/main/resources/bootstrap.properties

aws.accessKeyId = SECRET
aws.secretKey   = ALSOSECRET

绒球.xml

...
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Finchley.RC2</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
...
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-aws-parameter-store-config</artifactId>
<version>2.0.0.RC2</version>
</dependency>
</dependencies>
....

请注意,我还公开了AWS_REGION环境变量,这是要克服的第一个障碍。我正在运行Java 8,并且可以复制从Eclipse和命令行Maven运行的以下行为。

启动时,我得到这个堆栈跟踪:

2018-06-11 13:20:57.092  INFO 2272 --- [           main] s.c.a.AnnotationConfigApplicationContext : Refreshing org.springframework.context.annotation.AnnotationConfigApplicationContext@359f7cdf: startup date [Mon Jun 11 13:20:57 CDT 2018]; root of context hierarchy
2018-06-11 13:20:57.613  INFO 2272 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'configurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$459ef732] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
.   ____          _            __ _ _
/\ / ___'_ __ _ _(_)_ __  __ _    
( ( )___ | '_ | '_| | '_ / _` |    
\/  ___)| |_)| | | | | || (_| |  ) ) ) )
'  |____| .__|_| |_|_| |___, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot ::        (v2.0.1.RELEASE)
2018-06-11 13:21:00.301 ERROR 2272 --- [           main] c.a.p.AwsParamStorePropertySourceLocator : Fail fast is set and there was an error reading configuration from AWS Parameter Store:
Unable to load AWS credentials from any provider in the chain
2018-06-11 13:21:00.308 ERROR 2272 --- [           main] o.s.boot.SpringApplication               : Application run failed
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain
at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:131) ~[aws-java-sdk-core-1.11.251.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1164) ~[aws-java-sdk-core-1.11.251.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:762) ~[aws-java-sdk-core-1.11.251.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:724) ~[aws-java-sdk-core-1.11.251.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717) ~[aws-java-sdk-core-1.11.251.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699) ~[aws-java-sdk-core-1.11.251.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667) ~[aws-java-sdk-core-1.11.251.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649) ~[aws-java-sdk-core-1.11.251.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513) ~[aws-java-sdk-core-1.11.251.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:6573) ~[aws-java-sdk-ssm-1.11.251.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:6549) ~[aws-java-sdk-ssm-1.11.251.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParametersByPath(AWSSimpleSystemsManagementClient.java:4204) ~[aws-java-sdk-ssm-1.11.251.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParametersByPath(AWSSimpleSystemsManagementClient.java:4180) ~[aws-java-sdk-ssm-1.11.251.jar:na]
at org.springframework.cloud.aws.paramstore.AwsParamStorePropertySource.getParameters(AwsParamStorePropertySource.java:67) ~[spring-cloud-aws-parameter-store-config-2.0.0.RC2.jar:2.0.0.RC2]
at org.springframework.cloud.aws.paramstore.AwsParamStorePropertySource.init(AwsParamStorePropertySource.java:52) ~[spring-cloud-aws-parameter-store-config-2.0.0.RC2.jar:2.0.0.RC2]
at org.springframework.cloud.aws.paramstore.AwsParamStorePropertySourceLocator.create(AwsParamStorePropertySourceLocator.java:111) ~[spring-cloud-aws-parameter-store-config-2.0.0.RC2.jar:2.0.0.RC2]
at org.springframework.cloud.aws.paramstore.AwsParamStorePropertySourceLocator.locate(AwsParamStorePropertySourceLocator.java:94) ~[spring-cloud-aws-parameter-store-config-2.0.0.RC2.jar:2.0.0.RC2]
at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:94) ~[spring-cloud-context-2.0.0.RC2.jar:2.0.0.RC2]
at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:633) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:373) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:325) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1255) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1243) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
at com.company.app.App.main(App.java:10) [classes/:na]

我应该期望这个模块对 bootstrap.properties 的属性可见吗?我还应该如何向引导上下文提供属性?

我希望

避免使用环境变量或命令行属性,因为它们很有可能会泄漏到生产中的某个地方的日志中。

实际上,AWS在这方面已经足够好了,可以为您处理大部分繁琐的工作。您担心的是,您的凭据现在和永远都将以开放纯文本形式出现在日志中,并且您希望将凭据存储在由某种版本/存储库系统管理的文件中。AWS承认这是一个可能的选择,但实际上它认为由于涉及的工作量很大,它并不认为这是最好的解决方案。

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

您可以让开发人员直接在 EC2 实例中存储 AWS 凭证,并允许该实例中的应用程序使用这些凭证。但是,开发人员随后必须管理凭证,并确保他们将凭证安全地传递给每个实例,并在轮换凭证时更新每个 EC2 实例。这是很多额外的工作。

您可以将 AWS 配置为在部署应用程序时使用 IAM 角色为您的 EC2 实例提供临时凭证。这些角色仅限于您定义的访问权限,并在短时间(最多几个小时(后过期。

您发布的错误消息根本不会在正确配置的 EC2 实例中发生。若要在本地测试环境中或云外运行,可以在 .aws/credentials 存储中提供凭证,而无需提供任何类型的凭证来访问 QA/PROD EC2 框,因为 .aws/credentials 路径在环境变量之后才会被选中。

这会为您的安全和理智带来立竿见影的好处:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

您不必在应用程序中分发或嵌入长期 AWS 安全凭证。

您可以向用户提供对 AWS 资源的访问权限,而无需为其定义 AWS 身份。临时凭证是角色和联合身份验证的基础。

临时安全凭证的生存期有限,因此您不必轮换它们或在不再需要它们时显式撤销它们。临时安全凭证过期后,无法重复使用。您可以指定凭据的有效期,最多为最大限制。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium