如何将AWS Secret Manager与Node.js Lambda一起使用

时间:2019-08-23 01:15:51

标签: javascript node.js aws-lambda aws-secrets-manager

我尝试包装示例代码片段以在函数中获取机密,然后调用它,但它似乎没有用。我怀疑我正在异步调用它,而我需要同步调用它吗?我只希望可以调用一个函数来获取秘密值并将其放入var中。

这是函数:

//outside exports.handler = (event, context, callback) => {
function getSecret(secretName) {
  // Load the AWS SDK
  var AWS = require('aws-sdk'),
      region = process.env.AWS_REGION,
      secretName = secretName,
      secret,
      decodedBinarySecret;

  // Create a Secrets Manager client
  var client = new AWS.SecretsManager({
      region: region
  });

  // In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
  // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
  // We rethrow the exception by default.

  client.getSecretValue({SecretId: secretName}, function(err, data) {
      if (err) {
          if (err.code === 'DecryptionFailureException')
              // Secrets Manager can't decrypt the protected secret text using the provided KMS key.
              // Deal with the exception here, and/or rethrow at your discretion.
              throw err;
          else if (err.code === 'InternalServiceErrorException')
              // An error occurred on the server side.
              // Deal with the exception here, and/or rethrow at your discretion.
              throw err;
          else if (err.code === 'InvalidParameterException')
              // You provided an invalid value for a parameter.
              // Deal with the exception here, and/or rethrow at your discretion.
              throw err;
          else if (err.code === 'InvalidRequestException')
              // You provided a parameter value that is not valid for the current state of the resource.
              // Deal with the exception here, and/or rethrow at your discretion.
              throw err;
          else if (err.code === 'ResourceNotFoundException')
              // We can't find the resource that you asked for.
              // Deal with the exception here, and/or rethrow at your discretion.
              throw err;
      }
      else {
          // Decrypts secret using the associated KMS CMK.
          // Depending on whether the secret is a string or binary, one of these fields will be populated.
          if ('SecretString' in data) {
              return data.SecretString;
          } else {
              let buff = new Buffer(data.SecretBinary, 'base64');
              return buff.toString('ascii');
          }
    }
  });
}

那我叫它

// inside exports.handler = (event, context, callback) => {
var secret = getSecret('mySecret')
console.log('mysecret: ' + secret )

秘密变量始终为undefined

编辑:异步仅适用于promise,因此我必须使函数异步并返回promise:

async function mySecrets(secretName) {
    // Load the AWS SDK
    var AWS = require('aws-sdk'),
        region = process.env.AWS_REGION,
        secretName = secretName,
        secret,
        decodedBinarySecret;

    // Create a Secrets Manager client
    var client = new AWS.SecretsManager({
        region: region
    });

    return new Promise((resolve,reject)=>{
        client.getSecretValue({SecretId: secretName}, function(err, data) {

            // In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
            // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
            // We rethrow the exception by default.
            if (err) {
                reject(err);
            }
            else {
                // Decrypts secret using the associated KMS CMK.
                // Depending on whether the secret is a string or binary, one of these fields will be populated.
                if ('SecretString' in data) {
                    resolve(data.SecretString);
                } else {
                    let buff = new Buffer(data.SecretBinary, 'base64');
                    resolve(buff.toString('ascii'));
                }
            }
        });
    });
}

.....
// inside handler
exports.handler = async (event) => {
....
var value = await mySecrets('mysecret')

5 个答案:

答案 0 :(得分:2)

如果有人需要解决这个问题,这里有一个更简单的例子:

const result = await client
  .getSecretValue({
    SecretId: AWSConfig.secretName,
  })
  .promise();

const parsedResult = JSON.parse(result.SecretString);

答案 1 :(得分:1)

您需要等待才能完成异步调用。

在主处理程序中,您将得到类似的东西:

// inside your main handler
exports.handler =  async function(event, context) {
    var secret = await getSecret('mySecret')
    console.log('mysecret: ' + secret )

    return ...
    }

答案 2 :(得分:1)

我已经创建了一个同步解决方案,您可以在这里找到:https://github.com/jwerre/secrets

使用此软件包,您可以将所有机密加载到特定名称空间中,如下所示:

const config = require('@jwerre/secrets').configSync({
    region: 'us-east-1',
    env: 'production',
    namespace: 'my-namespace',
});

这将检索您可能不完全想要的所有机密。如果您想要一个秘密,可以这样:

const config = require('@jwerre/secrets').secretSync({
    region: 'us-west-2'
    id: '/my-co/apis/'
});

答案 3 :(得分:0)

df_reshaped = pd.melt(df,id_vars='Dates 3M',var_name = "newname1", value_name = "newname2") 提供了两种从API取回值的方法。您可以使用本机回调机制(如上所示),也可以在调用链的末尾使用aws-sdk来将API调用转换为等效的Promise。

例如

.promise()

如果您使用的是const data = await (secretManager.getSecret({ SecretId }).promise(); ,则您的函数需要和所有调用它的函数一样await,除非它们选择使用Promise的async / then

答案 4 :(得分:0)

更好的方法是在异步 lambda 函数中执行此操作

示例key:val => password:rootPassword

const secret = await secretClient.getSecretValue({SecretId: 'SecretKeyName'}).promise().then((data) => {
        return JSON.parse(data.SecretString);
})

然后以 secret.password 的身份访问它。

注意:环绕 try/catch 块以自动处理错误。

相关问题
最新问题