我们已使用 AWS Secret Manager 设置 AWS Redshift 密钥凭证轮换。已将轮换设置为 1 天,以便使用 AWS Secret Manager 生成的 lambda 函数进行测试。
我创建了 SNS 主题并用我的电子邮件订阅了它。
使用 AWS Secret Manager 提供的 python 代码片段,我们创建了一个名为getawssecret的新 lambda 函数,该函数生成红移凭证并将其发送到我们的 SNS。下面是 lambda 代码:
# Use this code snippet in your app.
# If you need more information about configurations or implementing the sample code, visit the AWS docs:
# https://aws.amazon.com/developers/getting-started/python/
import boto3
import base64
import json
from botocore.exceptions import ClientError
def lambda_handler(event, context):
secret_name = "MY-Secret"
region_name = "eu-west-2"
# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name=region_name
)
try:
get_secret_value_response = client.get_secret_value(
SecretId = secret_name
)
except ClientError as e:
if e.response['Error']['Code'] == 'DecryptionFailureException':
# Secrets Manager can't decrypt the protected secret text using the provided KMS key.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InternalServiceErrorException':
# An error occurred on the server side.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidParameterException':
# You provided an invalid value for a parameter.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidRequestException':
# You provided a parameter value that is not valid for the current state of the resource.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'ResourceNotFoundException':
# We can't find the resource that you asked for.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
# else:
# # Decrypts secret using the associated KMS CMK.
# # Depending on whether the secret is a string or binary, one of these fields will be populated.
# if 'SecretString' in get_secret_value_response:
# secret = get_secret_value_response['SecretString']
# else:
# decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])
else:
# Decrypts secret using the associated KMS CMK.
# Depending on whether the secret is a string or binary, one of these fields will be populated.
if 'SecretString' in get_secret_value_response:
secret = get_secret_value_response['SecretString']
else:
secret = base64.b64decode(get_secret_value_response['SecretBinary'])
# Send message to SNS
MY_SNS_TOPIC_ARN = 'arn::SNS-MY-Secret-Manager'
sns_client = boto3.client('sns')
sns_client.publish(
TopicArn = MY_SNS_TOPIC_ARN,
Message = 'Your Credentians are: ' + secret
)
return json.loads(secret) # returns the secret as dictionary
我创建了一个触发上述 lambda 函数的云监视事件规则,该函数是使用RotateSecret AWS Secret Manager API 调用创建的。以下是云观看事件的设置。
参考:https ://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html
但是,当我们的密钥发生轮换时,AWS 生成的 lambda 函数会生成新的红移密钥凭证,也可以通过 AWS 控制台在 Secret Manager 上查看。
但它不会触发我们的 Lambda getawssecretthat函数,该函数是在使用RotateSecret AWS Secret Manager API 调用设置云监视规则时添加为目标的,然后我的电子邮件中没有收到任何 AWS SNS 通知。
但是,当我通过单击“立即旋转密码”按钮手动旋转密码时。它轮换我们的秘密并触发我们的 lambda getawssecretthat函数通过云观察事件并通过电子邮件向我们发送 AWS SNS 通知
我在这里想念什么?如何配置 AWS Secret Manager 以通过 AWS CLoudwatch 事件发送更改红移凭证的 SNS 通知?
如何在不手动登录 AWS 控制台的情况下接收最新的 redshift 凭证?