如何将JKS证书存储在AWS Secret Manager中?

huangapple go评论85阅读模式
英文:

How to store JKS certificate in AWS Secret Manager?

问题

我需要安全地存储并从我的Java应用程序中获取keystore.jkstruststore.jks文件,以便与外部应用程序进行安全通信。

我们能把这些文件存储在AWS Secret Manager中吗?

我无法找到适用于将JKS证书作为秘密存储在AWS Secret Manager中的正确文档。

英文:

I need to securely store and fetch keystore.jks and truststore.jks files from my Java application in order to make secure communications with external application.

Can we store these files in AWS Secret Manager?

I am not able to find proper documentation to store JKS certificate as secret in AWS secret manager.

答案1

得分: 7

你可以将这些内容作为二进制机密存储在SecretsManager中,只要它们在大小限制之下。或者,你可以将它们存储在一个使用KMS CMK加密的私有S3存储桶中。

由于Java在Java应用程序启动之前需要文件系统上存在truststore.jks和keystore.jks文件,所以你需要在启动Java应用程序之前将这些文件下载到运行的容器中。例如,你可以在Docker镜像中包含并使用AWS CLI工具,通过脚本将文件下载到运行的容器中。

为了让你的ECS应用程序可以访问并下载这些文件,你需要为ECS任务分配适当的IAM权限。

英文:

You would store these as binary secrets in SecretsManager, as long as they are under the size limit. Alternatively, you could store them in a private S3 bucket encrypted with a KMS CMK.

Since Java expects the truststore.jks and keystore.jks files to be present on the file system before the Java application starts up, you would need to script your docker container to download the files into the running container before starting your Java application, for example by including and using the AWS CLI tool within your Docker image.

To give your ECS application access to download the files you would assign the appropriate IAM permissions to the ECS task.

答案2

得分: 2

你可以向 AWS Secret Manager 添加和检索证书。但这也取决于你的证书大小。详见:AWS Secrets Manager 配额限制

> AWS Secrets Manager 中的秘密有各种限制,比如字符长度(65,536)。

阅读文档:将证书存储在 AWS Secrets Manager 中

注意:你需要使用 HTTP 解析器/ Lambda 解析器才能发起 HTTP 调用到 AWS Secrets Manager 以获取密钥。

英文:

You can add and retrieve certificates from AWS Secret Manager. But it depends on the size of your certificate as well. Read here : Quotas for AWS Secrets Manager

> Secrets for AWS Secrets Manager have various limits such as length in
> characters (65,536).

Read the docs : Storing the certificates in AWS Secrets Manager

Note : You will need to use HTTP Resolvers/ Lambda Resolvers to be able to make http calls to AWS Secrets Manager to obtain the secret.

huangapple
  • 本文由 发表于 2020年7月26日 16:38:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/63097944.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定