结合使用AWS Secrets Manager和Python(Lambda Console)

时间:2019-09-18 21:09:16

标签: python amazon-web-services aws-lambda aws-secrets-manager

我正在尝试在AWS中使用Secrets Manager的Lambda函数。管理员的秘密用于将数据库凭据存储到Snowflake(用户名,密码)。

我设法在Secrets Manager中设置了一个秘密,其中包含几个键/值对(例如,一个用于用户名,另一个用于密码)。

现在,我试图在我的Python函数代码中引用这些值。 AWS文档请提供以下代码段:

import boto3
import base64
from botocore.exceptions import ClientError


def get_secret():

    secret_name = "MY/SECRET/NAME"
    region_name = "us-west-2"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )

    # In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
    # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
    # We rethrow the exception by default.

    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
    except ClientError as e:
        if e.response['Error']['Code'] == 'DecryptionFailureException':
            # Secrets Manager can't decrypt the protected secret text using the provided KMS key.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InternalServiceErrorException':
            # An error occurred on the server side.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InvalidParameterException':
            # You provided an invalid value for a parameter.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InvalidRequestException':
            # You provided a parameter value that is not valid for the current state of the resource.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'ResourceNotFoundException':
            # We can't find the resource that you asked for.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
    else:
        # Decrypts secret using the associated KMS CMK.
        # Depending on whether the secret is a string or binary, one of these fields will be populated.
        if 'SecretString' in get_secret_value_response:
            secret = get_secret_value_response['SecretString']
        else:
            decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])

    # Your code goes here.

稍后在我的def lambda_handler(event, context)函数中,我具有以下代码段可建立与数据库的连接:

        conn = snowflake.connector.connect(
            user=USERNAME,
            password=PASSWORD,
            account=ACCOUNT,
            warehouse=WAREHOUSE,
            role=ROLE
            )

但是,我无法弄清楚如何使用get_secret()函数返回诸如USERNAMEPASSWORD之类的参数的值。

这如何完成?谢谢您的帮助!

5 个答案:

答案 0 :(得分:3)

将get_secret()的最后一部分更新为:

else:
        # Decrypts secret using the associated KMS CMK.
        # Depending on whether the secret is a string or binary, one of these fields will be populated.
        if 'SecretString' in get_secret_value_response:
            secret = get_secret_value_response['SecretString']
        else:
            secret = base64.b64decode(get_secret_value_response['SecretBinary'])

return json.loads(secret)  # returns the secret as dictionary

这将返回一个字典,您将在其中拥有在AWS Secret Manager控制台中指定的密钥。

答案 1 :(得分:1)

hi @Prashanth kumar你的意思是这样的: def get_secret():

secret_name = "MySecretForRedshift"
region_name = "us-east-1"

# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
    service_name='secretsmanager',
    region_name=region_name
)

# In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
# See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
# We rethrow the exception by default.

try:
    get_secret_value_response = client.get_secret_value(
        SecretId=secret_name
    )
except ClientError as e:
    if e.response['Error']['Code'] == 'DecryptionFailureException':
        # Secrets Manager can't decrypt the protected secret text using the provided KMS key.
        # Deal with the exception here, and/or rethrow at your discretion.
        raise e
    elif e.response['Error']['Code'] == 'InternalServiceErrorException':
        # An error occurred on the server side.
        # Deal with the exception here, and/or rethrow at your discretion.
        raise e
    elif e.response['Error']['Code'] == 'InvalidParameterException':
        # You provided an invalid value for a parameter.
        # Deal with the exception here, and/or rethrow at your discretion.
        raise e
    elif e.response['Error']['Code'] == 'InvalidRequestException':
        # You provided a parameter value that is not valid for the current state of the resource.
        # Deal with the exception here, and/or rethrow at your discretion.
        raise e
    elif e.response['Error']['Code'] == 'ResourceNotFoundException':
        # We can't find the resource that you asked for.
        # Deal with the exception here, and/or rethrow at your discretion.
        raise e
else:
    # Decrypts secret using the associated KMS CMK.
    # Depending on whether the secret is a string or binary, one of these fields will be populated.
    if 'SecretString' in get_secret_value_response:
        secret = json.loads(get_secret_value_response['SecretString'])
    else:
        secret = json.loads(base64.b64decode(get_secret_value_response['SecretBinary']))
return secret

答案 2 :(得分:0)

  • 这是我使用arn的方式,following this bloc希望对您有所帮助。
  • 值得检查一下您曾经存储过的内容,并相应地使用了一个 SecretStringSecretBinary 
    secrets_client = boto3.client('secretsmanager')
    secret_arn = 'arn:aws:secretsmanager:eu-west-2:xxxxxxxxxxxx:secret:dashboard/auth_token'
    auth_token = secrets_client.get_secret_value(SecretId=secret_arn).get('SecretString')
  • boto3 docs
  • get_secret_value从机密的指定版本中检索加密字段SecretStringSecretBinary的内容,以任何内容为准。
  • 根据使用的内容,您的lambda角色应具有以下权限
    • secretsmanager:GetSecretValue
    • kms:Decrypt仅在您使用客户管理的AWS KMS密钥加密机密时才需要。您不需要此权限即可将账户的默认AWS管理CMK用于Secrets Manager。

答案 3 :(得分:0)

我创建了一个名为pysecret的开源库,这是AWS Secret Manager集成的文档:https://github.com/MacHu-GWU/pysecret-project#aws-key-management-service-and-secret-manager-integration

我可以引导您完成最简单的方法:

  1. 手动将您的秘密值放入json或使用 pysecret创建一个。
from pysecret import AWSSecret

aws_profile = "my_aws_profile"
aws = AWSSecret(profile_name=aws_profile)

secret_id = "my-example-secret"
secret_data = {
    "host": "www.example.com",
    "port": 1234,
    "database": "mydatabase",
    "username": "admin",
    "password": "mypassword",
    "metadata": {
        "creator": "Alice"
    }
}
aws.deploy_secret(name=secret_id, secret_data=secret_data) # or you can pass kms_key_id if you created a custom kms key

然后,您应该可以看到在aws控制台中创建的机密。

  1. 在lambda函数或任何python代码中读取您的秘密值
aws = AWSSecret(profile_name=aws_profile) # in lambda code, don't need ``profile_name=aws_profile``
password = aws.get_secret_value(secret_id="my-example-secret", key="password") # mypassword
creator = aws.get_secret_value(secret_id="my-example-secret", key="metadata.creator") # Alice

注意,Lambda功能IAM角色要求访问机密

  1. 您的Lambda IAM角色必须具有Secret Manager的读取访问权限。 aws内置策略arn:aws:iam :: aws:policy / SecretsManagerReadWrite具有读写功能,如果您很懒,可以使用它。但是我建议您创建仅具有“读取”访问权限的自定义策略。
  2. 如果您使用自动生成的kms密钥作为秘密,则必须使用aws kms create-grant命令授予Lambda Function IAM角色访问kms密钥进行加密,这就是https://docs.aws.amazon.com/cli/latest/reference/kms/create-grant.html
  3. 如果您使用自定义kms密钥,则应该能够编辑kms密钥的用户,请在aws控制台中选择Lambda Function IAM角色。

希望这能回答您的问题。

如果有此帮助,请为我的项目https://github.com/MacHu-GWU/pysecret-project加上星号。

答案 4 :(得分:0)

AWS为某些受支持的数据库引擎(例如MySQL等)提供了一些模板,请查看以下template

对于不受支持的数据库,请检查this

上面提供的模板将为您提供一个自定义功能的示例。

相关问题
最新问题