1

来自文档:http ://cloud.spring.io/spring-cloud-static/spring-cloud-aws/2.0.0.RC2/single/spring-cloud-aws.html#_parameter_store_configuration_credentials_and_region_configuration

参数存储配置支持使用引导上下文来配置默认 AWSSimpleSystemsManagement 客户端,该客户端使用 com.amazonaws.auth.DefaultAWSCredentialsProviderChain 和 com.amazonaws.regions.DefaultAwsRegionProviderChain

提供者链的文档:https ://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

我希望避免使用环境变量或命令行属性,因为它们很有可能会泄漏到 prod 中某处的日志中。我看到的最佳选择是使用 .properties 文件。根据第一个链接,由于模块是在引导上下文中加载的,我想“Spring”的方法是将这些属性包含在 bootstrap.properties 文件中(根据 spring-cloud 文档:https: //cloud.spring.io/spring-cloud-static/spring-cloud.html#_the_bootstrap_application_context )

所以我的项目看起来像这样:

/src/main/resources/bootstrap.properties

aws.accessKeyId = SECRET
aws.secretKey   = ALSOSECRET

pom.xml

...
<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-dependencies</artifactId>
            <version>Finchley.RC2</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>
...
<dependencies>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-aws-parameter-store-config</artifactId>
        <version>2.0.0.RC2</version>
    </dependency>
</dependencies>
....

请注意,我还公开了 AWS_REGION 环境变量,这是要克服的第一个障碍。我正在运行 Java 8,并且可以复制从 Eclipse 和命令行 Maven 运行的以下行为。

在启动时,我得到这个堆栈跟踪:

2018-06-11 13:20:57.092  INFO 2272 --- [           main] s.c.a.AnnotationConfigApplicationContext : Refreshing org.springframework.context.annotation.AnnotationConfigApplicationContext@359f7cdf: startup date [Mon Jun 11 13:20:57 CDT 2018]; root of context hierarchy
2018-06-11 13:20:57.613  INFO 2272 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'configurationPropertiesRebinderAutoConfiguration' of type [org.springframework.cloud.autoconfigure.ConfigurationPropertiesRebinderAutoConfiguration$$EnhancerBySpringCGLIB$$459ef732] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.0.1.RELEASE)

2018-06-11 13:21:00.301 ERROR 2272 --- [           main] c.a.p.AwsParamStorePropertySourceLocator : Fail fast is set and there was an error reading configuration from AWS Parameter Store:
Unable to load AWS credentials from any provider in the chain
2018-06-11 13:21:00.308 ERROR 2272 --- [           main] o.s.boot.SpringApplication               : Application run failed

com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain
    at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:131) ~[aws-java-sdk-core-1.11.251.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1164) ~[aws-java-sdk-core-1.11.251.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:762) ~[aws-java-sdk-core-1.11.251.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:724) ~[aws-java-sdk-core-1.11.251.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717) ~[aws-java-sdk-core-1.11.251.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699) ~[aws-java-sdk-core-1.11.251.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667) ~[aws-java-sdk-core-1.11.251.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649) ~[aws-java-sdk-core-1.11.251.jar:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513) ~[aws-java-sdk-core-1.11.251.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:6573) ~[aws-java-sdk-ssm-1.11.251.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:6549) ~[aws-java-sdk-ssm-1.11.251.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParametersByPath(AWSSimpleSystemsManagementClient.java:4204) ~[aws-java-sdk-ssm-1.11.251.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParametersByPath(AWSSimpleSystemsManagementClient.java:4180) ~[aws-java-sdk-ssm-1.11.251.jar:na]
    at org.springframework.cloud.aws.paramstore.AwsParamStorePropertySource.getParameters(AwsParamStorePropertySource.java:67) ~[spring-cloud-aws-parameter-store-config-2.0.0.RC2.jar:2.0.0.RC2]
    at org.springframework.cloud.aws.paramstore.AwsParamStorePropertySource.init(AwsParamStorePropertySource.java:52) ~[spring-cloud-aws-parameter-store-config-2.0.0.RC2.jar:2.0.0.RC2]
    at org.springframework.cloud.aws.paramstore.AwsParamStorePropertySourceLocator.create(AwsParamStorePropertySourceLocator.java:111) ~[spring-cloud-aws-parameter-store-config-2.0.0.RC2.jar:2.0.0.RC2]
    at org.springframework.cloud.aws.paramstore.AwsParamStorePropertySourceLocator.locate(AwsParamStorePropertySourceLocator.java:94) ~[spring-cloud-aws-parameter-store-config-2.0.0.RC2.jar:2.0.0.RC2]
    at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:94) ~[spring-cloud-context-2.0.0.RC2.jar:2.0.0.RC2]
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:633) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:373) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:325) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1255) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1243) [spring-boot-2.0.1.RELEASE.jar:2.0.1.RELEASE]
    at com.company.app.App.main(App.java:10) [classes/:na]

我是否应该期望这个模块能够看到 bootstrap.properties 中的属性?我还应该如何为引导上下文提供属性?

4

1 回答 1

0

我希望避免使用环境变量或命令行属性,因为它们很有可能会泄漏到 prod 中某处的日志中。

实际上,AWS 在这方面做得很好,可以为您处理大部分脏活。您担心的是,您的凭据现在和永远都会以开放的纯文本形式保存在日志中,并且您希望将凭据存储在由某种版本/存储库系统管理的文件中。AWS 承认这是一个可能的选择,但确实表明它并不认为这是最好的解决方案,因为涉及的工作量很大。

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

您可以让您的开发人员将 AWS 凭证直接存储在 EC2 实例中,并允许该实例中的应用程序使用这些凭证。但是开发人员随后必须管理凭证并确保他们将凭证安全地传递给每个实例,并在需要轮换凭证时更新每个 EC2 实例。这是很多额外的工作。

您可以将 AWS 配置为在部署应用程序时使用 IAM 角色为您的 EC2 实例提供临时凭证。这些角色仅限于您定义的访问权限,并且会在短时间内(最多可能几个小时)后过期。

您发布的错误消息根本不会在您正确配置的 EC2 实例中发生。要在本地测试环境或云端运行,您可以在 .aws/credentials 存储中提供凭证,而无需提供任何类型的凭证来访问您的 QA/PROD EC2 框,因为 .aws/credentials 路径是直到环境变量之后才检查。

这将为您的安全性和健全性带来立竿见影的好处:https ://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

您不必随应用程序分发或嵌入长期 AWS 安全凭证。

您可以向用户提供对 AWS 资源的访问权限,而无需为他们定义 AWS 身份。临时凭证是角色和身份联合的基础。

临时安全凭证的生命周期有限,因此您不必轮换它们或在不再需要它们时显式撤销它们。临时安全凭证过期后,将无法重复使用。您可以指定凭证的有效期,最长可达最长限制。

于 2018-06-11T19:16:56.703 回答