我已经设置了一个运行PHP的EC2实例。仅用于测试,该实例位于具有安全组的公共子网中,该安全组允许所有流量进入0.0.0.0/0。路由表具有到10.0.0.0/16(VPC的CIDR块)的默认本地路由,以及到0.0.0.0/0到Internet网关的路由。与子网关联的NACL允许在0.0.0.0/0处进出所有流量。我知道这是完全开放的,但是我想确保遇到的问题与安全组和NACL无关。
我创建了Secrets Manager机密MySecret-xxxxx,并使用以下策略将IAM角色附加到实例,以允许实例访问机密:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:eu-west-2:xxxxxxxxx:secret:MySecret-xxxxx"
}
]
}
我已经在名为sdks的子文件夹中的实例上安装了适用于PHP的AWS开发工具包,最后创建了一个“ Hello World” index.php文件,该文件运行良好,直到尝试运行{{1} }在AWS提供的安装信息的简化版本中。这是PHP代码:
getSecretValue一旦包含了<?php
require 'sdks/aws/aws-autoloader.php';
use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;
$client = new SecretsManagerClient( [
'profile' => 'default',
'version' => 'latest',
'region' => 'eu-west-2'
] );
$secretName = 'MySecret-xxxxx';
echo '<h1>Hello World</h1>';
$result = $client->getSecretValue([
'SecretId' => $secretName,
]);
?>
代码块,我将收到一条HTTP ERROR 500错误消息,尽管没有它也可以很好地工作。我在CLI上运行了$result = $client->getSecretValue([...,并正确返回了机密详细信息。
答案 0 :(得分:2)
最后弄清楚了-尽管我已经在EC2实例的/home/ec2-user/.aws文件夹中创建了一个凭证文件,但是我仍然必须通过SDK检索凭证。为什么从AWS提供的Secrets Manager示例代码中排除了此原因超出了我的范围。现在,完整的工作代码如下所示:
<?php
require 'vendor/autoload.php';
use Aws\Credentials\CredentialProvider;
use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;
$provider = CredentialProvider::defaultProvider();
$client = new SecretsManagerClient( [
'credentials' => $provider,
'version' => 'latest',
'region' => 'eu-west-2'
] );
$secretName = 'MySecret-xxxxx';
try {
$result = $client->getSecretValue( [
'SecretId' => $secretName,
] );
} catch ( AwsException $e ) {
$error = $e->getAwsErrorCode();
if ( $error == 'DecryptionFailureException' ) { // Can't decrypt the protected secret text using the provided AWS KMS key.
throw $e;
}
if ( $error == 'InternalServiceErrorException' ) { // An error occurred on the server side.
throw $e;
}
if ( $error == 'InvalidParameterException' ) { // Invalid parameter value.
throw $e;
}
if ( $error == 'InvalidRequestException' ) { // Parameter value is not valid for the current state of the resource.
throw $e;
}
if ( $error == 'ResourceNotFoundException' ) { // Requested resource not found
throw $e;
}
}
// Decrypts secret using the associated KMS CMK, depends on whether the secret is a string or binary.
if ( isset( $result[ 'SecretString' ] ) ) {
$secret = $result[ 'SecretString' ];
} else {
$secret = base64_decode( $result[ 'SecretBinary' ] );
}
// Decode the secret json
$secrets = json_decode( $secret, true );
echo( '<p>hostname/ipaddress: ' . $secrets[ 'host' ] . '</p><p>username: ' . $secrets[ 'username' ] . '</p><p>password: ' . $secrets[ 'password' ] . '</p><p>dbname: ' . $secrets[ 'dbname' ] . '</p>' );