英文:
correct policy to get secrets on local go app
问题
我正在使用AWS上的一个小项目进行开发:
- 使用golang编写的应用程序
- RDS/MySQL数据库
- 密钥管理器(Secret Manager)
- API网关和Lambda函数
我正在本地运行Go应用程序以验证与数据库的交互,但是无法与密钥管理器配合工作。
使用以下示例代码:
func getCreds() {
config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
if err != nil {
log.Fatal(err)
}
svc := secretsmanager.NewFromConfig(config)
input := &secretsmanager.GetSecretValueInput{
SecretId: aws.String(secretName),
VersionStage: aws.String("AWSCURRENT"),
}
result, err := svc.GetSecretValue(context.TODO(), input)
if err != nil {
log.Fatal(err.Error())
}
var secretString string = *result.SecretString
log.Printf("pwd: %s", secretString)
}
我得到了以下错误信息:
operation error Secrets Manager: GetSecretValue, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds
如果我理解正确,我需要向用户/策略添加权限。但是在哪里添加呢?在IAM控制台还是密钥管理器控制台?
应该添加到哪里呢?
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Principal": {"AWS": "<在这里添加什么>"},
"Resource": "<在这里添加什么>"
}
]
}
英文:
playing with a small project on AWS:
- golang app
- RDS/MySQL database
- secret manager
- API gateway and lambda
I'm running the go app locally to verify the interaction with the database, but I can't get it to work with the secret manager.
using this sample code:
func getCreds() {
config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
if err != nil {
log.Fatal(err)
}
svc := secretsmanager.NewFromConfig(config)
input := &secretsmanager.GetSecretValueInput{
SecretId: aws.String(secretName),
VersionStage: aws.String("AWSCURRENT"),
}
result, err := svc.GetSecretValue(context.TODO(), input)
if err != nil {
log.Fatal(err.Error())
}
var secretString string = *result.SecretString
log.Printf("pwd: %s", secretString)
}
I'm getting
operation error Secrets Manager: GetSecretValue, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds
If I understand correctly, I need to add a permission to a user/policy. But where to add this? In the IAM console? Or the secret manager console?
And what should it be?
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Principal": {"AWS": "<what to add here>"},
"Resource": "<and here>"
}
]
}
答案1
得分: 0
Go应用程序无法找到用于使用AWS API的凭据。
根据配置凭据,您可以使用以下代码在本地自动使用~/.aws/config作为凭据:
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
如果您提供自定义配置,则必须提供凭据。还有其他方法,请选择适合您的方法。AWS建议使用上述方法。
这涵盖了与您的用户一起运行的情况。对于AWS执行,您需要为Lambda函数提供访问密钥的权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c"
]
}
]
}
上述策略必须应用于执行Lambda的IAM角色。您可以在AWS控制台中找到角色:Lambda -> 您的Lambda -> 配置 -> 权限 -> 执行角色。
英文:
The Go Application doesn't find the credentials to use the AWS API.
According to (Configuring Credentials) you can use this code to automagically use ~/.aws/config for credentials locally
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
if you supply a custom config, the credentials must be supplied. There are other methods, pick one that suits you. AWS proposes the method above.
This covers running with your users. For AWS execution you need to give the Lambda function access to the secret:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
],
"Resource": [
"arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c"
]
}
}
The above policy must be applied to the IAM Role the Lambda is executed with. You can find the role AWS Console -> Lambda -> You Lambda -> Configuration -> Permissions -> Execution Role
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论