AWS Secrets Manager 密钥的 JSON 结构
您可以在 Secrets Manager 密钥中存储任何文本或二进制文件,最大大小为 65,536 字节。
如果使用 通过 Lambda 函数进行轮换,则密钥必须包含轮换函数所需的特定 JSON 字段。例如,对于包含数据库凭证的密钥,轮换函数会连接到数据库以更新凭证,因此该密钥必须包含数据库连接信息。
如果使用控制台编辑数据库密钥的轮换,则该密钥必须包含标识数据库的特定 JSON 键值对。Secrets Manager 使用这些字段查询数据库,以查找存储轮换函数的正确 VPC。
JSON 键名称区分大小写。
Amazon RDS 和 Aurora 凭证
要使用 Secrets Manager 提供的轮换函数模板,请使用以下 JSON 结构。您可以添加更多键/值对,例如包含其他区域中的副本数据库的连接信息。
- DB2
-
对于 Amazon RDS Db2 实例,由于用户无法更改自己的密码,因此您必须在单独的秘密中提供管理员凭证。
{
"engine": "db2",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 3306>,
"masterarn": "<ARN of the elevated secret>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- MariaDB
-
{
"engine": "mariadb",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 3306>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- MySQL
-
{
"engine": "mysql",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 3306>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- Oracle
-
{
"engine": "oracle",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name>",
"port": <TCP port number. If not specified, defaults to 1521>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- Postgres
-
{
"engine": "postgres",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to 'postgres'>",
"port": <TCP port number. If not specified, defaults to 5432>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- SQLServer
-
{
"engine": "sqlserver",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to 'master'>",
"port": <TCP port number. If not specified, defaults to 1433>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster.Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
Amazon Redshift 凭证
要使用 Secrets Manager 提供的轮换函数模板,请使用以下 JSON 结构。您可以添加更多键/值对,例如包含其他区域中的副本数据库的连接信息。
{
"engine": "redshift",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"dbClusterIdentifier": "<optional: database ID. Required for configuring rotation in the console.>"
"port": <optional: TCP port number. If not specified, defaults to 5439>
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>"
}
要使用 Secrets Manager 提供的轮换函数模板,请使用以下 JSON 结构。您可以添加更多键/值对,例如包含其他区域中的副本数据库的连接信息。
{
"engine": "redshift",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"namespaceName": "<optional: namespace name, Required for configuring rotation in the console.> "
"port": <optional: TCP port number. If not specified, defaults to 5439>
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>"
}
Amazon DocumentDB 凭证
要使用 Secrets Manager 提供的轮换函数模板,请使用以下 JSON 结构。您可以添加更多键/值对,例如包含其他区域中的副本数据库的连接信息。
{
"engine": "mongo",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 27017>,
"ssl": <true|false. If not specified, defaults to false>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 轮换策略:交替用户.>",
"dbClusterIdentifier": "<optional: database cluster ID. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
"dbInstanceIdentifier": "<optional: database instance ID. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>"
}
Amazon Timestream for InfluxDB 密钥结构
要轮换 Timestream 密钥,您可以使用 Amazon Timestream for InfluxDB 轮换模板。
有关更多信息,请参阅《Amazon Timestream 开发人员指南》中的 Amazon Timestream for InfluxDB 如何使用密钥。
Timestream 密钥必须采用正确的 JSON 结构才能使用轮换模板。有关更多信息,请参阅《Amazon Timestream 开发人员指南》中的密钥的内容。
Amazon ElastiCache 凭证
以下示例显示了存储 ElastiCache 凭证的密钥的 JSON 结构。
{
"password": "<password>",
"username": "<username>"
"user_arn": "ARN of the Amazon EC2 user"
}
有关更多信息,请参阅《Amazon ElastiCache 用户指南》中的为用户自动轮换密码。
Active Directory 凭证
AWS Directory Service 使用密钥存储 Active Directory 凭证。有关更多信息,请参阅《AWS Directory Service 管理指南》中的 Seamlessly join an Amazon EC2 Linux instance to your Managed AD Active Directory。无缝加入域名需要以下示例中的键名称。如果不使用无缝域加入,则可以使用环境变量更改密钥中键的名称,如轮换函数模板代码中所述。
要轮换 Active Directory 密钥,您可以使用 Active Directory 轮换模板。
- Active Directory credential
-
{
"awsSeamlessDomainUsername": "<username>",
"awsSeamlessDomainPassword": "<password>"
}
如果要轮换密钥,请包括域目录 ID。
{
"awsSeamlessDomainDirectoryId": "d-12345abc6e",
"awsSeamlessDomainUsername": "<username>",
"awsSeamlessDomainPassword": "<password>"
}
如果将密钥与包含 keytab 的密钥结合使用,请包含 keytab 密钥 ARN。
{
"awsSeamlessDomainDirectoryId": "d-12345abc6e",
"awsSeamlessDomainUsername": "<username>",
"awsSeamlessDomainPassword": "<password>",
"directoryServiceSecretVersion": 1,
"schemaVersion": "1.0",
"keytabArns": [
"<ARN of child keytab secret 1>,
"<ARN of child keytab secret 2>,
"<ARN of child keytab secret 3>,
],
"lastModifiedDateTime": "2021-07-19 17:06:58"
}
- Active Directory keytab
-
有关使用 keytab 文件对 Amazon EC2 上的 Active Directory 账户进行身份验证的信息,请参阅 Deploying and configuring Active Directory authentication with SQL Server 2017 on Amazon Linux 2。
{
"awsSeamlessDomainDirectoryId": "d-12345abc6e",
"schemaVersion": "1.0",
"name": "< name>",
"principals": [
"aduser@MY.EXAMPLE.COM",
"MSSQLSvc/test:1433@MY.EXAMPLE.COM"
],
"keytabContents": "<keytab>",
"parentSecretArn": "<ARN of parent secret>",
"lastModifiedDateTime": "2021-07-19 17:06:58"
"version": 1
}
