时间戳

首页 > 解决方案 > 如何在 CloudFormation 文件中分配 AWS SecretsManager 策略?

node.js - 如何在 CloudFormation 文件中分配 AWS SecretsManager 策略?

问题描述

我正在使用 AWS Lambda、API Gateway 和 RDS (MySQL) 开发 REST API。我正在使用 Node.js。

为了保护数据库凭证,我访问了 AWS Web 控制台并创建了一个新密钥。

现在我需要在我的 Lambda 函数中访问这些。我知道我必须分配SecretsManagerReadWrite权限,但我不知道该怎么做。

下面是我的 CloudFormation 配置文件。

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  aaaa-restapi

  Sample SAM Template for aaaa-restapi
  

    # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
    Globals:
      Function:
        Timeout: 100
        VpcConfig:
            SecurityGroupIds:
              - sg-041f2455252528e
            SubnetIds:
              - subnet-0385252525
    
    Resources:
      GetAllAccountingTypesFunction:
        Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
        Properties:
          CodeUri: aaaa-restapi/
          Handler: accountingtypes-getall.getallaccountingtypes
          Runtime: nodejs14.x
          Events:
            HelloWorld:
              Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
              Properties:
                Path: /accountingtypes/getallaccountingtypes
                Method: get
      
    
      LambdaRole:
        Type: 'AWS::IAM::Role'
        Properties:
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - lambda.amazonaws.com
                Action:
                  - 'sts:AssumeRole'
          Path: /
          ManagedPolicyArns:
            - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
          Policies:
            - PolicyName: root
              PolicyDocument:
                Version: "2012-10-17"
                Statement:
                  - Effect: Allow
                    Action:
                      - ec2:DescribeNetworkInterfaces
                      - ec2:CreateNetworkInterface
                      - ec2:DeleteNetworkInterface
                      - ec2:DescribeInstances
                      - ec2:AttachNetworkInterface
                    Resource: '*'
    
    Outputs:
      # ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
      # Find out more about other implicit resources you can reference within SAM
      # https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
      HelloWorldApi:
        Description: "API Gateway endpoint URL for Prod stage for functions"
        Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"

在此文件中,我如何授予我的 Lambda 函数权限?

标签: node.jsamazon-web-servicesamazon-cloudformationaws-samaws-secrets-manager

解决方案

根据评论。

通常完成的方式是访问lambda 函数中的秘密值。这将需要授予lambda 执行角色访问密钥的权限。

在 CloudFormation 模板中,您可以将密钥名称(而不是其值)作为环境变量传递给 lambda 函数。

推荐阅读