4

我想将 read_only_user 的密码导出到 EC2 实例。如何访问 UserData 中创建的密码?

Resources:
  ReadOnlyUserCredentials:
      Type: AWS::SecretsManager::Secret
      Properties:
        Name: !Sub "${AWS::StackName}/readonly-user-credentials"
        GenerateSecretString:
          SecretStringTemplate: '{"username": "read_only_user"}'
          GenerateStringKey: 'password'
          PasswordLength: 16
          ExcludeCharacters: '"@/\'
  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-a4c7edb2
      InstanceType: t2.micro
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          echo "${!Join ['', ['{{resolve:secretsmanager:', !Ref ReadOnlyUserCredentials, ':SecretString:password}}' ]]}" > password

我尝试使用 !Join 但当然这不起作用。我将非常感谢这里的任何帮助。

更新:

      UserData:
        Fn::Base64:
         Fn::Sub:
          - |
            echo ${PasswordStr} > password
          - PasswordStr: !Join ['', ['{{resolve:secretsmanager:', !Ref ReadOnlyUserCredentials, ':SecretString:password}}' ]]

通过如上所示更改代码,我确实得到了解析字符串,但它没有给我实际的密码。如何解决 arn 以获取纯密码?

4

1 回答 1

2

您可能不希望 CFN 在用户数据中扩展您的密码,因为密码将嵌入在 EC2 控制台中可见的 base64 编码的用户数据脚本中。

相反,您应该利用这样一个事实,即您有一个在主机上执行的脚本并在脚本执行时调用秘密管理器(警告,未经测试):

Resources:
  ReadOnlyUserCredentials:
      Type: AWS::SecretsManager::Secret
      Properties:
        Name: !Sub "${AWS::StackName}/readonly-user-credentials"
        GenerateSecretString:
          SecretStringTemplate: '{"username": "read_only_user"}'
          GenerateStringKey: 'password'
          PasswordLength: 16
          ExcludeCharacters: '"@/\'
  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-a4c7edb2
      InstanceType: t2.micro
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          yum update -y
          yum install -y jq
          aws --region ${AWS::Region} secretsmanager get-secret-value --secret-id !Ref ReadOnlyUserCredentials --query SecretString --output text | jq -r .password > password
于 2019-01-18T23:10:49.887 回答