获取本地Go应用程序中的密钥的正确策略

huangapple go评论106阅读模式
英文:

correct policy to get secrets on local go app

问题

我正在使用AWS上的一个小项目进行开发:

  • 使用golang编写的应用程序
  • RDS/MySQL数据库
  • 密钥管理器(Secret Manager)
  • API网关和Lambda函数

我正在本地运行Go应用程序以验证与数据库的交互,但是无法与密钥管理器配合工作。

使用以下示例代码:

func getCreds() {
    config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
    if err != nil {
        log.Fatal(err)
    }

    svc := secretsmanager.NewFromConfig(config)
    input := &secretsmanager.GetSecretValueInput{
        SecretId:     aws.String(secretName),
        VersionStage: aws.String("AWSCURRENT"),
    }

    result, err := svc.GetSecretValue(context.TODO(), input)
    if err != nil {
        log.Fatal(err.Error())
    }

    var secretString string = *result.SecretString
    log.Printf("pwd: %s", secretString)
}

我得到了以下错误信息:

operation error Secrets Manager: GetSecretValue, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds

如果我理解正确,我需要向用户/策略添加权限。但是在哪里添加呢?在IAM控制台还是密钥管理器控制台?

应该添加到哪里呢?

{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Principal": {"AWS": "<在这里添加什么>"},
            "Resource": "<在这里添加什么>"
        }
    ]
}
英文:

playing with a small project on AWS:

  • golang app
  • RDS/MySQL database
  • secret manager
  • API gateway and lambda

I'm running the go app locally to verify the interaction with the database, but I can't get it to work with the secret manager.

using this sample code:

func getCreds() {
	config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
	if err != nil {
		log.Fatal(err)
	}

	svc := secretsmanager.NewFromConfig(config)
	input := &amp;secretsmanager.GetSecretValueInput{
		SecretId:     aws.String(secretName),
		VersionStage: aws.String(&quot;AWSCURRENT&quot;),
	}

	result, err := svc.GetSecretValue(context.TODO(), input)
	if err != nil {
		log.Fatal(err.Error())
	}

	var secretString string = *result.SecretString
	log.Printf(&quot;pwd: %s&quot;, secretString)
}

I'm getting

operation error Secrets Manager: GetSecretValue, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds

If I understand correctly, I need to add a permission to a user/policy. But where to add this? In the IAM console? Or the secret manager console?

And what should it be?

{
    &quot;Version&quot;:&quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Effect&quot;: &quot;Allow&quot;,
            &quot;Action&quot;: &quot;secretsmanager:GetSecretValue&quot;,
            &quot;Principal&quot;: {&quot;AWS&quot;: &quot;&lt;what to add here&gt;&quot;},
            &quot;Resource&quot;: &quot;&lt;and here&gt;&quot;
        }
    ]
}

答案1

得分: 0

Go应用程序无法找到用于使用AWS API的凭据。

根据配置凭据,您可以使用以下代码在本地自动使用~/.aws/config作为凭据:

sess := session.Must(session.NewSessionWithOptions(session.Options{
    SharedConfigState: session.SharedConfigEnable,
}))

如果您提供自定义配置,则必须提供凭据。还有其他方法,请选择适合您的方法。AWS建议使用上述方法

这涵盖了与您的用户一起运行的情况。对于AWS执行,您需要为Lambda函数提供访问密钥的权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c"
            ]
        }
    ]
}

上述策略必须应用于执行Lambda的IAM角色。您可以在AWS控制台中找到角色:Lambda -> 您的Lambda -> 配置 -> 权限 -> 执行角色。

英文:

The Go Application doesn't find the credentials to use the AWS API.

According to (Configuring Credentials) you can use this code to automagically use ~/.aws/config for credentials locally

sess := session.Must(session.NewSessionWithOptions(session.Options{
    SharedConfigState: session.SharedConfigEnable,
}))

if you supply a custom config, the credentials must be supplied. There are other methods, pick one that suits you. AWS proposes the method above.

This covers running with your users. For AWS execution you need to give the Lambda function access to the secret:

{
    &quot;Version&quot;: &quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Effect&quot;: &quot;Allow&quot;,
            &quot;Action&quot;: [
                &quot;secretsmanager:GetSecretValue&quot;,
            ],
            &quot;Resource&quot;: [
                &quot;arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c&quot;
            ]
        }
}

The above policy must be applied to the IAM Role the Lambda is executed with. You can find the role AWS Console -> Lambda -> You Lambda -> Configuration -> Permissions -> Execution Role

huangapple
  • 本文由 发表于 2023年3月22日 06:05:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/75806744.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定