本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
JSON的結構 AWS Secrets Manager 秘密
您可以將任何文本或二進製文本存儲在秘 Secrets Manager 密碼中,最大為 65,536 字節的大小上限。
如果您使用依 Lambda 函數輪換,密碼必須包含旋轉函數期望的特定JSON欄位。例如,對於包含資料庫認證的密碼,輪換函數會連線至資料庫以更新認證,因此密碼必須包含資料庫連線資訊。
如果您使用主控台編輯資料庫密碼的輪替,密碼必須包含可識別資料庫的特定JSON索引鍵值配對。Secrets Manager 會使用這些欄位來查詢資料庫,以尋找正確的資料庫VPC來儲存循環函數。
JSON金鑰名稱是區分大小寫的。
Amazon RDS 和 Aurora 憑據
若要使用 Secrets Manager 提供的旋轉函數範本,請使用下列JSON結構。您可以新增更多索引鍵/值配對,例如包含其他區域中複本資料庫的連線資訊。
- DB2
-
對於 Amazon RDS Db2 執行個體,因為使用者無法變更自己的密碼,因此您必須以單獨的密碼提供管理員登入資料。
{
"engine": "db2",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 3306>,
"masterarn": "<ARN of the elevated secret>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- MariaDB
-
{
"engine": "mariadb",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 3306>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 輪換策略:交替使用者.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- MySQL
-
{
"engine": "mysql",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 3306>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 輪換策略:交替使用者.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- Oracle
-
{
"engine": "oracle",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name>",
"port": <TCP port number. If not specified, defaults to 1521>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 輪換策略:交替使用者.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- Postgres
-
{
"engine": "postgres",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to 'postgres'>",
"port": <TCP port number. If not specified, defaults to 5432>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 輪換策略:交替使用者.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
- SQLServer
-
{
"engine": "sqlserver",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to 'master'>",
"port": <TCP port number. If not specified, defaults to 1433>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 輪換策略:交替使用者.>",
"dbInstanceIdentifier": <optional: ID of the instance. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>",
"dbClusterIdentifier": <optional: ID of the cluster.Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
}
Amazon Redshift 憑據
若要使用 Secrets Manager 提供的旋轉函數範本,請使用下列JSON結構。您可以新增更多索引鍵/值配對,例如包含其他區域中複本資料庫的連線資訊。
{
"engine": "redshift",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"dbClusterIdentifier": "<optional: database ID. Required for configuring rotation in the console.>"
"port": <optional: TCP port number. If not specified, defaults to 5439>
"masterarn": "<optional: ARN of the elevated secret. Required for the 輪換策略:交替使用者.>"
}
若要使用 Secrets Manager 提供的旋轉函數範本,請使用下列JSON結構。您可以新增更多索引鍵/值配對,例如包含其他區域中複本資料庫的連線資訊。
{
"engine": "redshift",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"namespaceName": "<optional: namespace name, Required for configuring rotation in the console.> "
"port": <optional: TCP port number. If not specified, defaults to 5439>
"masterarn": "<optional: ARN of the elevated secret. Required for the 輪換策略:交替使用者.>"
}
Amazon DocumentDB 憑據
若要使用 Secrets Manager 提供的旋轉函數範本,請使用下列JSON結構。您可以新增更多索引鍵/值配對,例如包含其他區域中複本資料庫的連線資訊。
{
"engine": "mongo",
"host": "<instance host name/resolvable DNS name>",
"username": "<username>",
"password": "<password>",
"dbname": "<database name. If not specified, defaults to None>",
"port": <TCP port number. If not specified, defaults to 27017>,
"ssl": <true|false. If not specified, defaults to false>,
"masterarn": "<optional: ARN of the elevated secret. Required for the 輪換策略:交替使用者.>",
"dbClusterIdentifier": "<optional: database cluster ID. Alternately, use dbInstanceIdentifier. Required for configuring rotation in the console.>"
"dbInstanceIdentifier": "<optional: database instance ID. Alternately, use dbClusterIdentifier. Required for configuring rotation in the console.>"
}
Amazon Timestream 的 InfluxDB 秘密結構
要旋轉時間流秘密,您可以使用InfluxDB 的 Amazon Timestream輪換模板。
如需詳細資訊,請參閱 Amazon InfluxDB 的時間流如何使用機密,請參閱 Amazon Time stream 開發人員指南中的秘密。
時間流密碼必須位於正確的JSON結構中,才能使用輪換模板。如需詳細資訊,請參閱 Amazon Timestream 開發人員指南中的秘密內容。
Amazon ElastiCache 憑據
下列範例顯示儲存 ElastiCache 認證之密碼的JSON結構。
{
"password": "<password>",
"username": "<username>"
"user_arn": "ARN of the Amazon EC2 user"
}
如需詳細資訊,請參閱 Amazon ElastiCache 使用者指南中的自動輪替使用者的密碼。
作用中目錄認證
AWS Directory Service 使用密碼來儲存使用中目錄認證。如需詳細資訊,請參閱將 Amazon EC2 Linux 執行個體無縫加入您的受管 AD 活動目錄 AWS Directory Service 管理指南。無縫網域加入需要下列範例中的金鑰名稱。如果您不使用無縫網域加入,您可以使用環境變數來變更密碼中金鑰的名稱,如循環函數範本程式碼所述。
要旋轉活動目錄密碼,您可以使用活動目錄輪換模板。
- Active Directory credential
-
{
"awsSeamlessDomainUsername": "<username>",
"awsSeamlessDomainPassword": "<password>"
}
如果您想要旋轉密碼,請包含網域目錄 ID。
{
"awsSeamlessDomainDirectoryId": "d-12345abc6e",
"awsSeamlessDomainUsername": "<username>",
"awsSeamlessDomainPassword": "<password>"
}
如果密碼與包含 keytab 的密碼結合使用,您可以包含 keytab 密碼。ARNs
{
"awsSeamlessDomainDirectoryId": "d-12345abc6e",
"awsSeamlessDomainUsername": "<username>",
"awsSeamlessDomainPassword": "<password>",
"directoryServiceSecretVersion": 1,
"schemaVersion": "1.0",
"keytabArns": [
"<ARN of child keytab secret 1>,
"<ARN of child keytab secret 2>,
"<ARN of child keytab secret 3>,
],
"lastModifiedDateTime": "2021-07-19 17:06:58"
}
- Active Directory keytab
-
如需使用金鑰標籤檔案向 Amazon 上的活動目錄帳戶進行驗證的相關資訊EC2,請參閱在 Amazon Linux 2 上使用SQL伺服器 2017 部署和設定使用中目錄身份驗證。
{
"awsSeamlessDomainDirectoryId": "d-12345abc6e",
"schemaVersion": "1.0",
"name": "< name>",
"principals": [
"aduser@MY.EXAMPLE.COM",
"MSSQLSvc/test:1433@MY.EXAMPLE.COM"
],
"keytabContents": "<keytab>",
"parentSecretArn": "<ARN of parent secret>",
"lastModifiedDateTime": "2021-07-19 17:06:58"
"version": 1
}
