本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 在 中建立 AWS Secrets Manager 秘密 AWS CloudFormation
您可以使用 CloudFormation 範本中的 `[ AWS::SecretsManager::Secret](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html)` 資源,在 CloudFormation 堆疊中建立秘密,如 [建立秘密](cfn-example_secret.md) 中所示。
若要為 Amazon RDS 或 Aurora 建立管理員密碼,建議您在 [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html) 中使用 `ManageMasterUserPassword`。Amazon RDS 接著會為您建立秘密並管理輪換。如需詳細資訊,請參閱[受管輪換](rotate-secrets_managed.md)。
針對 Amazon Redshift 和 Amazon DocumentDB 憑證,首先使用 Secrets Manager 產生的密碼建立秘密,然後使用[動態參考](cfn-example_reference-secret.md)從秘密中擷取使用者名稱和密碼,當作新資料庫的憑證。接下來,使用 `[ AWS::SecretsManager::SecretTargetAttachment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html)` 資源,將資料庫相關詳細資訊,新增至 Secrets Manager 必須輪換秘密的秘密。最後,若要開啟自動輪換,請使用 `[ AWS::SecretsManager::RotationSchedule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)` 資源並提供[輪換函數](reference_available-rotation-templates.md)和[排程](rotate-secrets_schedule.md)。請參閱以下範例:
+ [使用 Amazon Redshift 憑證建立秘密](cfn-example_Redshift-secret.md)
+ [使用 Amazon DocumentDB 憑證建立秘密](cfn-example_DocDB-secret.md)
使用 `[ AWS::SecretsManager::ResourcePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-resourcepolicy.html)` 資源將資源政策連接至秘密。
如需使用 建立資源的資訊 CloudFormation,請參閱 CloudFormation 《 使用者指南》中的[了解範本基本概念](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/gettingstarted.templatebasics.html)。您也可以使用 AWS Cloud Development Kit (AWS CDK)。如需詳細資訊,請參閱 [AWS Secrets Manager 建構程式庫](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-secretsmanager-readme.html)。
# 使用 建立 AWS Secrets Manager 秘密 CloudFormation
此範例會建立名為 **CloudFormationCreatedSecret-*a1b2c3d4e5f6*** 的秘密。秘密值是以下 JSON,是建立秘密時產生的 32 個字元的密碼。
```
{
"password": "EXAMPLE-PASSWORD",
"username": "saanvi"
}
```
此範例將使用以下 CloudFormation 資源︰
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html)
如需使用 建立資源的資訊 CloudFormation,請參閱 CloudFormation 《 使用者指南》中的[了解範本基本概念](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/gettingstarted.templatebasics.html)。
## JSON
```
{
"Resources": {
"CloudFormationCreatedSecret": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "Simple secret created by CloudFormation.",
"GenerateSecretString": {
"SecretStringTemplate": "{\"username\": \"saanvi\"}",
"GenerateStringKey": "password",
"PasswordLength": 32
}
}
}
}
}
```
## YAML
```
Resources:
CloudFormationCreatedSecret:
Type: 'AWS::SecretsManager::Secret'
Properties:
Description: Simple secret created by CloudFormation.
GenerateSecretString:
SecretStringTemplate: '{"username": "saanvi"}'
GenerateStringKey: password
PasswordLength: 32
```
# 使用 建立具有自動輪換的 AWS Secrets Manager 秘密和具有 的 Amazon RDS MySQL 資料庫執行個體 CloudFormation
若要為 Amazon RDS 或 Aurora 建立管理員密碼,建議您使用 `ManageMasterUserPassword`,如 [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html) 中的範例「為主要密碼建立 Secrets Manager 秘密」**所示。Amazon RDS 接著會為您建立秘密並管理輪換。如需詳細資訊,請參閱[受管輪換](rotate-secrets_managed.md)。
# 使用 建立 AWS Secrets Manager 秘密和 Amazon Redshift 叢集 CloudFormation
若要建立 Amazon Redshift 的管理員秘密,建議您在 [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html)和 上使用範例[https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshiftserverless-namespace.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshiftserverless-namespace.html)。
# 使用 建立 AWS Secrets Manager 秘密和 Amazon DocumentDB 執行個體 CloudFormation
此範例會使用秘密中的憑證作為使用者和密碼,來建立秘密和 Amazon DocumentDB 執行個體。該秘密連接了資源型政策,可定義能夠存取秘密的人員。範本亦會從 [輪換函數範本](reference_available-rotation-templates.md) 建立 Lambda 輪換函數,並將秘密設定為每月第一天在上午 8:00 至 10:00 (UTC) 之間自動輪換。作為安全最佳實務,執行個體位於 Amazon VPC 中。
此範例將以下 CloudFormation 資源用於 Secrets Manager:
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secrettargetattachment.html)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html)
如需使用 建立資源的資訊 CloudFormation,請參閱 CloudFormation 《 使用者指南》中的[了解範本基本概念](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/gettingstarted.templatebasics.html)。
## JSON
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Transform":"AWS::SecretsManager-2020-07-23",
"Resources":{
"TestVPC":{
"Type":"AWS::EC2::VPC",
"Properties":{
"CidrBlock":"10.0.0.0/16",
"EnableDnsHostnames":true,
"EnableDnsSupport":true
}
},
"TestSubnet01":{
"Type":"AWS::EC2::Subnet",
"Properties":{
"CidrBlock":"10.0.96.0/19",
"AvailabilityZone":{
"Fn::Select":[
"0",
{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
}
]
},
"VpcId":{
"Ref":"TestVPC"
}
}
},
"TestSubnet02":{
"Type":"AWS::EC2::Subnet",
"Properties":{
"CidrBlock":"10.0.128.0/19",
"AvailabilityZone":{
"Fn::Select":[
"1",
{
"Fn::GetAZs":{
"Ref":"AWS::Region"
}
}
]
},
"VpcId":{
"Ref":"TestVPC"
}
}
},
"SecretsManagerVPCEndpoint":{
"Type":"AWS::EC2::VPCEndpoint",
"Properties":{
"SubnetIds":[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
],
"SecurityGroupIds":[
{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
}
],
"VpcEndpointType":"Interface",
"ServiceName":{
"Fn::Sub":"com.amazonaws.${AWS::Region}.secretsmanager"
},
"PrivateDnsEnabled":true,
"VpcId":{
"Ref":"TestVPC"
}
}
},
"MyDocDBClusterRotationSecret":{
"Type":"AWS::SecretsManager::Secret",
"Properties":{
"GenerateSecretString":{
"SecretStringTemplate":"{\"username\": \"someadmin\",\"ssl\": true}",
"GenerateStringKey":"password",
"PasswordLength":16,
"ExcludeCharacters":"\"@/\\"
},
"Tags":[
{
"Key":"AppName",
"Value":"MyApp"
}
]
}
},
"MyDocDBCluster":{
"Type":"AWS::DocDB::DBCluster",
"Properties":{
"DBSubnetGroupName":{
"Ref":"MyDBSubnetGroup"
},
"MasterUsername":{
"Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}"
},
"MasterUserPassword":{
"Fn::Sub":"{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}"
},
"VpcSecurityGroupIds":[
{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
}
]
}
},
"DocDBInstance":{
"Type":"AWS::DocDB::DBInstance",
"Properties":{
"DBClusterIdentifier":{
"Ref":"MyDocDBCluster"
},
"DBInstanceClass":"db.r5.large"
}
},
"MyDBSubnetGroup":{
"Type":"AWS::DocDB::DBSubnetGroup",
"Properties":{
"DBSubnetGroupDescription":"",
"SubnetIds":[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
]
}
},
"SecretDocDBClusterAttachment":{
"Type":"AWS::SecretsManager::SecretTargetAttachment",
"Properties":{
"SecretId":{
"Ref":"MyDocDBClusterRotationSecret"
},
"TargetId":{
"Ref":"MyDocDBCluster"
},
"TargetType":"AWS::DocDB::DBCluster"
}
},
"MySecretRotationSchedule":{
"Type":"AWS::SecretsManager::RotationSchedule",
"DependsOn":"SecretDocDBClusterAttachment",
"Properties":{
"SecretId":{
"Ref":"MyDocDBClusterRotationSecret"
},
"HostedRotationLambda":{
"RotationType":"MongoDBSingleUser",
"RotationLambdaName":"MongoDBSingleUser",
"VpcSecurityGroupIds":{
"Fn::GetAtt":[
"TestVPC",
"DefaultSecurityGroup"
]
},
"VpcSubnetIds":{
"Fn::Join":[
",",
[
{
"Ref":"TestSubnet01"
},
{
"Ref":"TestSubnet02"
}
]
]
}
},
"RotationRules":{
"Duration": "2h",
"ScheduleExpression": "cron(0 8 1 * ? *)"
}
}
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::SecretsManager-2020-07-23
Resources:
TestVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
TestSubnet01:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.96.0/19
AvailabilityZone: !Select
- '0'
- !GetAZs
Ref: AWS::Region
VpcId: !Ref TestVPC
TestSubnet02:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.128.0/19
AvailabilityZone: !Select
- '1'
- !GetAZs
Ref: AWS::Region
VpcId: !Ref TestVPC
SecretsManagerVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
SubnetIds:
- !Ref TestSubnet01
- !Ref TestSubnet02
SecurityGroupIds:
- !GetAtt TestVPC.DefaultSecurityGroup
VpcEndpointType: Interface
ServiceName: !Sub com.amazonaws.${AWS::Region}.secretsmanager
PrivateDnsEnabled: true
VpcId: !Ref TestVPC
MyDocDBClusterRotationSecret:
Type: AWS::SecretsManager::Secret
Properties:
GenerateSecretString:
SecretStringTemplate: '{"username": "someadmin","ssl": true}'
GenerateStringKey: password
PasswordLength: 16
ExcludeCharacters: '"@/\'
Tags:
- Key: AppName
Value: MyApp
MyDocDBCluster:
Type: AWS::DocDB::DBCluster
Properties:
DBSubnetGroupName: !Ref MyDBSubnetGroup
MasterUsername: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::username}}'
MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyDocDBClusterRotationSecret}::password}}'
VpcSecurityGroupIds:
- !GetAtt TestVPC.DefaultSecurityGroup
DocDBInstance:
Type: AWS::DocDB::DBInstance
Properties:
DBClusterIdentifier: !Ref MyDocDBCluster
DBInstanceClass: db.r5.large
MyDBSubnetGroup:
Type: AWS::DocDB::DBSubnetGroup
Properties:
DBSubnetGroupDescription: ''
SubnetIds:
- !Ref TestSubnet01
- !Ref TestSubnet02
SecretDocDBClusterAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId: !Ref MyDocDBClusterRotationSecret
TargetId: !Ref MyDocDBCluster
TargetType: AWS::DocDB::DBCluster
MySecretRotationSchedule:
Type: AWS::SecretsManager::RotationSchedule
DependsOn: SecretDocDBClusterAttachment
Properties:
SecretId: !Ref MyDocDBClusterRotationSecret
HostedRotationLambda:
RotationType: MongoDBSingleUser
RotationLambdaName: MongoDBSingleUser
VpcSecurityGroupIds: !GetAtt TestVPC.DefaultSecurityGroup
VpcSubnetIds: !Join
- ','
- - !Ref TestSubnet01
- !Ref TestSubnet02
RotationRules:
Duration: 2h
ScheduleExpression: cron(0 8 1 * ? *)
```
## Secrets Manager 如何使用 AWS CloudFormation
當您使用主控台開啟輪換時,Secrets Manager 會使用 AWS CloudFormation 來建立輪換的資源。如果您在該過程中建立新的輪換函數, [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)會根據適當的 CloudFormation 建立 [輪換函數範本](reference_available-rotation-templates.md)。然後 CloudFormation 設定 [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-rotationschedule.html),這會設定秘密的輪換函數和輪換規則。您可以在開啟自動輪換之後,選擇橫幅中的**檢視堆疊**來檢視 CloudFormation 堆疊。
如需瞭解開啟自動輪換功能的相關資訊,請參閱[輪換 AWS Secrets Manager 秘密](rotating-secrets.md)。