本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 在中创建 AWS Secrets Manager 密钥 AWS CloudFormation
您可以使用 CloudFormation 模板中的`[ AWS::SecretsManager::Secret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html)`资源在 CloudFormation 堆栈中创建密钥,如所示[创建密钥](cfn-example_secret.md)。
要为 Amazon RDS 或 Aurora 创建管理员密钥,建议您使用 [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html) 中的 `ManageMasterUserPassword`。然后,Amazon RDS 为您创建密钥并管理轮换。有关更多信息,请参阅 [托管轮换](rotate-secrets_managed.md)。
对于 Amazon Redshift 和 Amazon DocumentDB 凭证,请首先使用 Secret Manager 生成的密码创建密钥,然后使用[动态引用](cfn-example_reference-secret.md)从该密钥中检索用户名和密码,以用作新数据库的凭证。接下来,使用 `[ AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html)` 资源将有关数据库的详细信息添加到 Secrets Manager 需要轮换密钥的密钥。最后,要启用自动轮换,请使用 `[ AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)` 资源并提供[轮换函数](reference_available-rotation-templates.md)和[计划](rotate-secrets_schedule.md)。请参阅以下示例:
+ [使用 Amazon Redshift 凭证创建密钥](cfn-example_Redshift-secret.md)
+ [使用 Amazon DocumentDB 凭证创建密钥](cfn-example_DocDB-secret.md)
要将资源策略附加到您的秘密,请使用 `[ AWS::SecretsManager::ResourcePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html)` 资源。
有关使用创建资源的信息 CloudFormation,请参阅《 CloudFormation 用户指南》中的 “[学习模板基础知识](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/gettingstarted.templatebasics.html)”。您也可以使用 AWS Cloud Development Kit (AWS CDK)。有关更多信息,请参阅 [AWS Secrets Manager 构建库](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-secretsmanager-readme.html)。
# 使用创建 AWS Secrets Manager 密钥 CloudFormation
此示例将创建一个名为 **CloudFormationCreatedSecret-*a1b2c3d4e5f6*** 的密钥。密码值是下面的 JSON,其中包含一个 32 个字符的密码,该密码是在创建密钥时生成的。
```
{
"password": "EXAMPLE-PASSWORD",
"username": "saanvi"
}
```
此示例使用以下 CloudFormation 资源:
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html)
有关使用创建资源的信息 CloudFormation,请参阅《 CloudFormation 用户指南》中的 “[学习模板基础知识](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/gettingstarted.templatebasics.html)”。
## JSON
```
{
"Resources": {
"CloudFormationCreatedSecret": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "Simple secret created by CloudFormation.",
"GenerateSecretString": {
"SecretStringTemplate": "{\"username\": \"saanvi\"}",
"GenerateStringKey": "password",
"PasswordLength": 32
}
}
}
}
}
```
## YAML
```
Resources:
CloudFormationCreatedSecret:
Type: 'AWS::SecretsManager::Secret'
Properties:
Description: Simple secret created by CloudFormation.
GenerateSecretString:
SecretStringTemplate: '{"username": "saanvi"}'
GenerateStringKey: password
PasswordLength: 32
```
# 使用自动轮换功能创建 AWS Secrets Manager 密钥和一个 Amazon RDS MySQL 数据库实例 CloudFormation
要为 Amazon RDS 或 Aurora 创建管理员密钥,建议您使用 `ManageMasterUserPassword`,如 [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html) 中的示例*为主密码创建 Secrets Manager 密钥*所示。然后,Amazon RDS 为您创建密钥并管理轮换。有关更多信息,请参阅 [托管轮换](rotate-secrets_managed.md)。
# 使用创建 AWS Secrets Manager 密钥和亚马逊 Redshift 集群 CloudFormation
要为 Amazon Redshift 创建管理员密钥,我们建议您使用 [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) 和 [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshiftserverless-namespace.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshiftserverless-namespace.html) 上的示例。
# 使用创建 AWS Secrets Manager 密钥和亚马逊文档数据库实例 CloudFormation
此示例将创建一个秘密,并使用该秘密中的凭证作为用户和密码,创建一个 Amazon DocumentDB 实例。该密钥已附加用于指定谁可以访问密钥的基于资源的策略。该模板还可以从 [轮换函数模板](reference_available-rotation-templates.md) 创建 Lambda 轮换函数,并将秘密配置为协调世界时每月第一天上午 8:00 到 10:00 之间自动轮换。作为安全最佳实践,该实例位于 Amazon VPC 中。
此示例使用了 Secrets Manager 的以下 CloudFormation 资源:
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)
有关使用创建资源的信息 CloudFormation,请参阅《 CloudFormation 用户指南》中的 “[学习模板基础知识](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/gettingstarted.templatebasics.html)”。
## JSON
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Transform":"AWS::SecretsManager-2020-07-23",
"Resources":{
"TestVPC":{
"Type":"AWS::EC2::VPC",
"Properties":{
"CidrBlock":"10.0.0.0/16",
"EnableDnsHostnames":true,
"EnableDnsSupport":true
}
},
"TestSubnet01":{
"Type":"AWS::EC2::Subnet",
"Properties":{
"CidrBlock":"10.0.96.0/19",
"AvailabilityZone":{
"Fn::Select":[
"0",
{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
}
]
},
"VpcId":{
"Ref":"TestVPC"
}
}
},
"TestSubnet02":{
"Type":"AWS::EC2::Subnet",
"Properties":{
"CidrBlock":"10.0.128.0/19",
"AvailabilityZone":{
"Fn::Select":[
"1",
{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
}
]
},
"VpcId":{
"Ref":"TestVPC"
}
}
},
"SecretsManagerVPCEndpoint":{
"Type":"AWS::EC2::VPCEndpoint",
"Properties":{
"SubnetIds":[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
],
"SecurityGroupIds":[
{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
}
],
"VpcEndpointType":"Interface",
"ServiceName":{
"Fn::Sub":"com.amazonaws.${AWS::Region}.secretsmanager"
},
"PrivateDnsEnabled":true,
"VpcId":{
"Ref":"TestVPC"
}
}
},
"MyDocDBClusterRotationSecret":{
"Type":"AWS::SecretsManager::Secret",
"Properties":{
"GenerateSecretString":{
"SecretStringTemplate":"{\"username\": \"someadmin\",\"ssl\": true}",
"GenerateStringKey":"password",
"PasswordLength":16,
"ExcludeCharacters":"\"@/\\"
},
"Tags":[
{
"Key":"AppName",
"Value":"MyApp"
}
]
}
},
"MyDocDBCluster":{
"Type":"AWS::DocDB::DBCluster",
"Properties":{
"DBSubnetGroupName":{
"Ref":"MyDBSubnetGroup"
},
"MasterUsername":{
"Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}"
},
"MasterUserPassword":{
"Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}"
},
"VpcSecurityGroupIds":[
{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
}
]
}
},
"DocDBInstance":{
"Type":"AWS::DocDB::DBInstance",
"Properties":{
"DBClusterIdentifier":{
"Ref":"MyDocDBCluster"
},
"DBInstanceClass":"db.r5.large"
}
},
"MyDBSubnetGroup":{
"Type":"AWS::DocDB::DBSubnetGroup",
"Properties":{
"DBSubnetGroupDescription":"",
"SubnetIds":[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
]
}
},
"SecretDocDBClusterAttachment":{
"Type":"AWS::SecretsManager::SecretTargetAttachment",
"Properties":{
"SecretId":{
"Ref":"MyDocDBClusterRotationSecret"
},
"TargetId":{
"Ref":"MyDocDBCluster"
},
"TargetType":"AWS::DocDB::DBCluster"
}
},
"MySecretRotationSchedule":{
"Type":"AWS::SecretsManager::RotationSchedule",
"DependsOn":"SecretDocDBClusterAttachment",
"Properties":{
"SecretId":{
"Ref":"MyDocDBClusterRotationSecret"
},
"HostedRotationLambda":{
"RotationType":"MongoDBSingleUser",
"RotationLambdaName":"MongoDBSingleUser",
"VpcSecurityGroupIds":{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
},
"VpcSubnetIds":{
"Fn::Join":[
",",
[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
]
]
}
},
"RotationRules":{
"Duration": "2h",
"ScheduleExpression": "cron(0 8 1 * ? *)"
}
}
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::SecretsManager-2020-07-23
Resources:
TestVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
TestSubnet01:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.96.0/19
AvailabilityZone: !Select
- '0'
- !GetAZs
Ref: AWS::Region
VpcId: !Ref TestVPC
TestSubnet02:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.128.0/19
AvailabilityZone: !Select
- '1'
- !GetAZs
Ref: AWS::Region
VpcId: !Ref TestVPC
SecretsManagerVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
SubnetIds:
- !Ref TestSubnet01
- !Ref TestSubnet02
SecurityGroupIds:
- !GetAtt TestVPC.DefaultSecurityGroup
VpcEndpointType: Interface
ServiceName: !Sub com.amazonaws.${AWS::Region}.secretsmanager
PrivateDnsEnabled: true
VpcId: !Ref TestVPC
MyDocDBClusterRotationSecret:
Type: AWS::SecretsManager::Secret
Properties:
GenerateSecretString:
SecretStringTemplate: '{"username": "someadmin","ssl": true}'
GenerateStringKey: password
PasswordLength: 16
ExcludeCharacters: '"@/\'
Tags:
- Key: AppName
Value: MyApp
MyDocDBCluster:
Type: AWS::DocDB::DBCluster
Properties:
DBSubnetGroupName: !Ref MyDBSubnetGroup
MasterUsername: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}'
MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}'
VpcSecurityGroupIds:
- !GetAtt TestVPC.DefaultSecurityGroup
DocDBInstance:
Type: AWS::DocDB::DBInstance
Properties:
DBClusterIdentifier: !Ref MyDocDBCluster
DBInstanceClass: db.r5.large
MyDBSubnetGroup:
Type: AWS::DocDB::DBSubnetGroup
Properties:
DBSubnetGroupDescription: ''
SubnetIds:
- !Ref TestSubnet01
- !Ref TestSubnet02
SecretDocDBClusterAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId: !Ref MyDocDBClusterRotationSecret
TargetId: !Ref MyDocDBCluster
TargetType: AWS::DocDB::DBCluster
MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
DependsOn: SecretDocDBClusterAttachment
Properties:
SecretId: !Ref MyDocDBClusterRotationSecret
HostedRotationLambda:
RotationType: MongoDBSingleUser
RotationLambdaName: MongoDBSingleUser
VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup
VpcSubnetIds: !Join
- ','
- - !Ref TestSubnet01
- !Ref TestSubnet02
RotationRules:
Duration: 2h
ScheduleExpression: cron(0 8 1 * ? *)
```
## Secrets Manager 的使用方式 AWS CloudFormation
当你使用控制台开启轮换时,Secrets Manager 会使用 AWS CloudFormation 创建轮换资源。如果在该过程中创建了新的旋转函数,则会[https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)根据相应的函数 CloudFormation 创建一个[轮换函数模板](reference_available-rotation-templates.md)。然后 CloudFormation 设置 [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html),它为密钥设置轮换函数和轮换规则。开启自动旋转后, CloudFormation 您可以通过在横幅中选择 “**查看堆栈**” 来查看堆栈。
有关启用自动轮换功能的信息,请参阅 [轮换 AWS Secrets Manager 秘密](rotating-secrets.md)。