个人中心
gpt4 book ai didi

node.js - 如何在 CloudFormation 文件中分配 AWS SecretsManager 策略?

转载 作者:行者123 更新时间:2023-12-03 07:23:17 27 4
gpt4 key购买 nike

我正在使用 AWS Lambda、API Gateway 和 RDS (MySQL) 开发 REST API。我正在使用 Node.js。

为了保护数据库凭证,我访问了 AWS Web 控制台并创建了一个新 key 。

现在我需要在 Lambda 函数中访问这些。我知道我必须分配 SecretsManagerReadWrite 权限,但我不知道该怎么做。

下面是我的 CloudFormation 配置文件。

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  aaaa-restapi

  Sample SAM Template for aaaa-restapi
  

    # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
    Globals:
      Function:
        Timeout: 100
        VpcConfig:
            SecurityGroupIds:
              - sg-041f2455252528e
            SubnetIds:
              - subnet-0385252525
    
    Resources:
      GetAllAccountingTypesFunction:
        Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
        Properties:
          CodeUri: aaaa-restapi/
          Handler: accountingtypes-getall.getallaccountingtypes
          Runtime: nodejs14.x
          Events:
            HelloWorld:
              Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
              Properties:
                Path: /accountingtypes/getallaccountingtypes
                Method: get
      
    
      LambdaRole:
        Type: 'AWS::IAM::Role'
        Properties:
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - lambda.amazonaws.com
                Action:
                  - 'sts:AssumeRole'
          Path: /
          ManagedPolicyArns:
            - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
          Policies:
            - PolicyName: root
              PolicyDocument:
                Version: "2012-10-17"
                Statement:
                  - Effect: Allow
                    Action:
                      - ec2:DescribeNetworkInterfaces
                      - ec2:CreateNetworkInterface
                      - ec2:DeleteNetworkInterface
                      - ec2:DescribeInstances
                      - ec2:AttachNetworkInterface
                    Resource: '*'
    
    Outputs:
      # ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
      # Find out more about other implicit resources you can reference within SAM
      # https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
      HelloWorldApi:
        Description: "API Gateway endpoint URL for Prod stage for functions"
        Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"

在此文件中,我如何向我的 Lambda 函数授予权限?

最佳答案

基于评论。

通常的实现方式是访问lambda 函数中的 secret 值。这需要向 lambda 执行角色授予访问 secret 的权限

在 CloudFormation 模板中,您可以将 key 名称(而不是其值)作为环境变量传递给 lambda 函数。

关于node.js - 如何在 CloudFormation 文件中分配 AWS SecretsManager 策略?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68480060/

27 4 0
文章推荐: amazon-web-services - 如何从多个 yml 构建 CloudFormation 模板
文章推荐: amazon-web-services - AWS CloudFormation 模板格式错误 : Unresolved resource dependencies in the Resources block of the template
文章推荐: aws-cloudformation - CodePipeline - 遇到不支持的属性配置
文章推荐: aws-lambda - AWS自动化文档不更新Lambda别名
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com