解析在Cfn L1构造中使用CDK创建的机密

2024-04-18 20:00:01 发布

您现在位置:Python中文网/ 问答频道 /正文
2909 3

如何使用用Secrets Manager创建的L2Secret解析为L1 Cfn属性值

from aws_cdk import (
    core,
    aws_secretsmanager as secretsmanager,
    aws_elasticache as elasticache
)
class MyStack(core.Stack):
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        redis_password = secretsmanager.Secret(
            self, "RedisPassword",
            description="Redis auth",
            generate_secret_string=secretsmanager.SecretStringGenerator(
                exclude_characters='/"@'
            )
        )
        self.redis = elasticache.CfnReplicationGroup(self, 'RedisCluster',
            auth_token=redis_password.secret_value,
            # other properties
        )

这就产生了错误

jsii.errors.JSIIError: Object of type @aws-cdk/aws-secretsmanager.Secret is not convertible to @aws-cdk/core.CfnElement

为了解决一个秘密,我会用

AuthToken: !Sub '{{resolve:secretsmanager:${MySecret}::password}}'

但是L2Secret不像L1构造那样输出Cfn Ref(据我所知)

我错过了什么


Tags: coreselfredisawsidl1initas
1条回答
网友
1楼 · 发布于 2024-04-18 20:00:01

我只是缺少了^{}方法

from aws_cdk import (
    core,
    aws_secretsmanager as secretsmanager,
    aws_elasticache as elasticache
)
class MyStack(core.Stack):
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        redis_password = secretsmanager.Secret(
            self, "RedisPassword",
            description="Redis auth",
            generate_secret_string=secretsmanager.SecretStringGenerator(
                exclude_characters='/"@'
            )
        )
        self.redis = elasticache.CfnReplicationGroup(self, 'RedisCluster',
            auth_token=redis_password.secret_value.to_string(),
            # other properties
        )

这综合到

{
  "RedisPasswordED621C10": {
    "Type": "AWS::SecretsManager::Secret",
    "Properties": {
      "Description": "Redis auth",
      "GenerateSecretString": {
        "ExcludeCharacters": "/\"@"
      }
    },
    "Metadata": {
      "aws:cdk:path": "my-cdk-stack/RedisPassword/Resource"
    }
  },
  "RedisCluster": {
    "Type": "AWS::ElastiCache::ReplicationGroup",
    "Properties": {
      "ReplicationGroupDescription": "RedisGroup",
      "AtRestEncryptionEnabled": true,
      "AuthToken": {
        "Fn::Join": [
          "",
          [
            "{{resolve:secretsmanager:",
            {
              "Ref": "RedisPasswordED621C10"
            },
            ":SecretString:::}}"
          ]
        ]
      },
      "OtherProps": "..."
    }
  }
}

相关问题 更多 >

    编程相关推荐