AWSSecretsManager
用户指南
AWSSecretsManager用户指南
AWSSecretsManager:用户指南
Copyright©AmazonWebServices,Inc.and/oritsaffiliates.Allrightsreserved.Amazon的商标和商业外观不得用于任何非Amazon的商品或服务,也不得以任何可能引起客户混淆、贬低或诋毁Amazon的方式使用。
所有非Amazon拥有的其它商标均为各自所有者的财产,这些所有者可能附属于Amazon、与Amazon有关联或由Amazon赞助,也可能不是如此。
AWSSecretsManager用户指南
TableofContents
什么是SecretsManager?...................................................................................................................
1基本场景....................................................................................................................................
1功能..........................................................................................................................................
2在运行时以编程的方式检索加密的密钥值.................................................................................2存储不同类型的密钥............................................................................................................
2对密钥数据进行加密............................................................................................................
2自动轮换您的密钥...............................................................................................................
3控制对密钥的访问...............................................................................................................
3符合标准....................................................................................................................................
4定价..........................................................................................................................................
5支持和反馈................................................................................................................................
5
访问SecretsManager.........................................................................................................................
7SecretsManager控制台..............................................................................................................
7命令行工具................................................................................................................................
7AWS开发工具包........................................................................................................................
7HTTPS查询API........................................................................................................................
7
开始使用............................................................................................................................................
9SecretsManager的概念..............................................................................................................
9密钥..................................................................................................................................
9轮换................................................................................................................................
10版本................................................................................................................................
10 教程................................................................................................................................................
11教程:创建和检索密钥...............................................................................................................
11权限................................................................................................................................
11步骤1:创建密钥.............................................................................................................
11步骤2:检索秘密..............................................................................................................
12步骤3:清理资源..............................................................................................................
12相关资源..........................................................................................................................
12教程:单用户轮换......................................................................................................................
12权限................................................................................................................................
13先决条件..........................................................................................................................
13步骤1:使用原始密码连接.................................................................................................
16步骤2:创建SecretsManager端点....................................................................................17步骤3:轮换秘密..............................................................................................................
17步骤4:测试轮换的密码.....................................................................................................
18步骤5:清理资源..............................................................................................................
18后续步骤..........................................................................................................................
18教程:交替用户轮换..................................................................................................................
18权限................................................................................................................................
19先决条件..........................................................................................................................
19步骤1:创建AmazonRDS数据库用户................................................................................19步骤2:为用户凭证创建秘密..............................................................................................
19步骤3:测试已轮换的秘密.................................................................................................
20步骤4:清理资源..............................................................................................................
21后续步骤..........................................................................................................................
21 身份验证和访问控制..........................................................................................................................
22SecretsManager管理员权限......................................................................................................
22访问密钥的权限.........................................................................................................................
22Lambda轮换函数的权限............................................................................................................
22加密密钥权限............................................................................................................................
22将权限策略附加到身份...............................................................................................................
22将权限策略附加到密钥...............................................................................................................
23AWSCLI.........................................................................................................................
23AWS开发工具包...............................................................................................................
24 iii AWSSecretsManager用户指南 AWS托管式策略.......................................................................................................................
24确定谁有权限访问您的密钥.........................................................................................................
25跨账户访问...............................................................................................................................
25权限策略示例............................................................................................................................
27 示例:检索密钥值的权限....................................................................................................
27示例:通配符....................................................................................................................
28示例:创建密钥的权限.......................................................................................................
29示例:权限和VPC............................................................................................................
30示例:使用标签控制对密钥的访问........................................................................................31示例:限制对标签与密钥标签匹配的标识的访问......................................................................31示例:服务主体.................................................................................................................
32权限参考..................................................................................................................................
32SecretsManager操作.......................................................................................................
33SecretsManager资源.......................................................................................................
39条件键.............................................................................................................................
40BlockPublicPolicy条件................................................................................................
41IP地址条件......................................................................................................................
41VPC终端节点条件............................................................................................................
41创建和管理密钥.................................................................................................................................
43创建密钥..................................................................................................................................
43AWSCLI.........................................................................................................................
44AWS开发工具包...............................................................................................................
45修改密钥..................................................................................................................................
45AWSCLI.........................................................................................................................
46AWS开发工具包...............................................................................................................
46查找密钥..................................................................................................................................
47AWSCLI.........................................................................................................................
47AWS开发工具包...............................................................................................................
48删除密钥..................................................................................................................................
48AWSCLI.........................................................................................................................
49AWS开发工具包...............................................................................................................
50恢复密钥..................................................................................................................................
50AWSCLI.........................................................................................................................
50AWS开发工具包...............................................................................................................
50将密钥复制到其他区域...............................................................................................................
50AWSCLI.........................................................................................................................
51AWS开发工具包...............................................................................................................
52将副本密钥升级为独立密钥.........................................................................................................
52AWSCLI.........................................................................................................................
52AWS开发工具包...............................................................................................................
52标记密钥..................................................................................................................................
52AWSCLI.........................................................................................................................
53AWS开发工具包...............................................................................................................
53检索密钥..........................................................................................................................................
54连接到SQL数据库...................................................................................................................
54Java应用程序..........................................................................................................................
57SecretCache....................................................................................................................
58SecretCacheConfiguration..................................................................................................
59SecretCacheHook.............................................................................................................
61Python应用程序.......................................................................................................................
61SecretCache....................................................................................................................
62SecretCacheConfig............................................................................................................
63SecretCacheHook.............................................................................................................
64@InjectSecretString...........................................................................................................
64@InjectKeywordedSecretString...........................................................................................
65.NET应用程序..........................................................................................................................
65SecretsManagerCache.......................................................................................................
66 iv AWSSecretsManager用户指南 SecretCacheConfiguration..................................................................................................
68ISecretCacheHook............................................................................................................
69Go应用程序.............................................................................................................................
69typeCache......................................................................................................................
70typeCacheConfig.............................................................................................................
71typeCacheHook...............................................................................................................
71在AmazonEKS中使用密钥.......................................................................................................
72安装ASCP......................................................................................................................
72步骤1:设置访问控制........................................................................................................
72步骤2:在AmazonEKS中挂载密钥...................................................................................73SecretProviderClass...................................................................................................
73教程................................................................................................................................
75轮换密钥..........................................................................................................................................
77轮换策略..................................................................................................................................
77单用户.............................................................................................................................
77交替用户..........................................................................................................................
78AmazonRDS、AmazonDocumentDB或AmazonRedshift密钥......................................................78AWSCLI.........................................................................................................................
80AWS开发工具包...............................................................................................................
80其他密钥类型............................................................................................................................
80AWSSDK和AWSCLI.....................................................................................................
81AWS开发工具包...............................................................................................................
81计划表达式...............................................................................................................................
81Rate表达式.....................................................................................................................
81Cron表达式.....................................................................................................................
82立即轮换密钥............................................................................................................................
83AWSSDK和AWSCLI.....................................................................................................
83AWS开发工具包...............................................................................................................
83轮换的工作原理.........................................................................................................................
83轮换的网络访问.........................................................................................................................
84轮换权限..................................................................................................................................
85Lambda函数策略资源.......................................................................................................
85Lambda函数执行角色内联策略...........................................................................................
86自定义轮换函数.........................................................................................................................
88轮换函数模板............................................................................................................................
89AmazonRDS数据库.........................................................................................................
89AmazonDocumentDB数据库.............................................................................................
93AmazonRedshift..............................................................................................................
94其他密钥类型....................................................................................................................
95轮换问题排查............................................................................................................................
95我想查找我的Lambda轮换函数的诊断日志...........................................................................95在尝试为我的密钥配置轮换时,出现“访问被拒绝”错误..............................................................95在启用轮换后,我的第一次轮换失败.....................................................................................96因为密钥值未按轮换函数预期进行格式化,所以轮换失败。
......................................................96SecretsManager指出我已成功配置轮换,但未轮换密码.........................................................96轮换失败,并显示“内部故障”错误消息...................................................................................97CloudTrail在轮换期间显示“访问被拒绝”错误..........................................................................97我的数据库需要SSL/TLS连接,但Lambda轮换函数没有使用SSL/TLS...................................98AWSCloudFormation........................................................................................................................
99创建简单密钥............................................................................................................................
99JSON............................................................................................................................
100YAML............................................................................................................................
100在CloudFormation资源中检索秘密............................................................................................
100JSON............................................................................................................................
101YAML............................................................................................................................
101使用AmazonRDS凭证创建秘密...............................................................................................
101JSON............................................................................................................................
101 v AWSSecretsManager用户指南 YAML............................................................................................................................
103使用自动轮换的AmazonRDS凭证创建秘密................................................................................105 JSON............................................................................................................................
105YAML............................................................................................................................
108使用自动轮换的AmazonRedshift凭证创建秘密...........................................................................110JSON............................................................................................................................
111YAML............................................................................................................................
114使用自动轮换的AmazonDocumentDB凭证创建秘密....................................................................115JSON............................................................................................................................
116YAML............................................................................................................................
119VPC终端节点.................................................................................................................................
122SecretsManagerVPC终端节点的注意事项.................................................................................122为SecretsManager创建接口VPC终端节点...............................................................................122为SecretsManager创建VPC终端节点策略...............................................................................122监控密钥........................................................................................................................................
124AWSCloudTrail......................................................................................................................
124AmazonCloudWatch...............................................................................................................
124AWSConfig...........................................................................................................................
124AWSSecurityHub..................................................................................................................
125查看SecretsManager的CloudTrail日志文件条目.......................................................................125AWSCLI或开发工具包....................................................................................................
125SecretsManager的CloudTrail日志示例............................................................................126监控计划删除的密钥.................................................................................................................
127步骤1:将CloudTrail日志文件配置为发送到CloudWatchLogs.............................................127步骤2:创建CloudWatch告警.........................................................................................128步骤3:测试CloudWatch告警.........................................................................................129使用AWSConfig审计密钥合规性..............................................................................................
129聚合AWS账户和AWS区域中的密钥..............................................................................129使用其他服务..................................................................................................................................
130AWSCodeBuild......................................................................................................................
130AmazonECS..........................................................................................................................
130AmazonEMR.........................................................................................................................
131AWSFargate..........................................................................................................................
131AWSIoTGreengrass...............................................................................................................
131ParameterStore......................................................................................................................
131AmazonSageMaker................................................................................................................
132AmazonVPC..........................................................................................................................
132Zelkova..................................................................................................................................
132SecretManager中的安全.................................................................................................................
133最佳实践................................................................................................................................
133降低使用AWSCLI存储密钥的风险............................................................................................
134SecretsManager中的数据保护.................................................................................................
135静态加密........................................................................................................................
136传输中加密.....................................................................................................................
136加密密钥管理..................................................................................................................
136互联网络流量隐私............................................................................................................
136密钥加密和解密.......................................................................................................................
136加密和解密流程...............................................................................................................
137SecretsManager如何使用您的KMS密钥..........................................................................137KMS密钥的权限.............................................................................................................
138SecretsManager加密上下文............................................................................................
139监控SecretsManager与AWSKMS交互..........................................................................140基础设施安全性.......................................................................................................................
142故障恢复能力..........................................................................................................................
142合规性验证.............................................................................................................................
143故障排除........................................................................................................................................
144在向SecretsManager发送请求时,收到“拒绝访问”消息................................................................144 vi AWSSecretsManager用户指南对于临时安全凭证的“拒绝访问”..................................................................................................
144并非始终立即显示我所做的更改。
..............................................................................................
144在创建秘密时收到“CannotgenerateadatakeywithanasymmetricKMSkey”(无法使用非对称KMS密钥生成数据密钥).................................................................................................................
145AWSCLI或AWSSDK操作无法从部分ARN中找到我的秘密。
.....................................................145配额..............................................................................................................................................
146密钥名称约束..........................................................................................................................
146最大配额................................................................................................................................
146速率配额................................................................................................................................
146将重试添加到您的应用程序........................................................................................................
147跨账户请求.............................................................................................................................