英文:
How to use environment variables to put them in AWS SAM template
问题
我有一个AWS SAM模板,其中有如下代码:
参数:
GoogleClientId:
Description: 'Required. The Google client id'
Type: 'String'
NoEcho: true
GoogleClientSecret:
Description: 'Required. The Google client password'
Type: 'String'
NoEcho: true
资源:
...
GoogleProvider:
Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
AttributeMapping: {
"name": "name",
"family_name": "family_name",
"email": "email",
"username": "sub",
}
ProviderDetails: {
"client_id" : !Ref GoogleClientId,
"client_secret": !Ref GoogleClientSecret,
"authorize_scopes": "openid profile email",
}
ProviderName: Google
ProviderType: Google
UserPoolId: !Ref ScreenshotUserPool
...
我不想明文保存Google秘密,我将其放在.env文件中。
我找到了一个参数选项,但不想在每次部署时重新输入参数,是否有一种方法可以自动从环境中提取变量?
感谢所有人。
英文:
I have a AWS SAM template that has lines like this
Parameters:
GoogleClientId:
Description: 'Required. The Google client id'
Type: 'String'
NoEcho: true
GoogleClientSecret:
Description: 'Required. The Google client password'
Type: 'String'
NoEcho: true
Resources:
...
GoogleProvider:
Type: AWS::Cognito::UserPoolIdentityProvider
Properties:
AttributeMapping: {
"name": "name",
"family_name": "family_name",
"email": "email",
"username": "sub",
}
ProviderDetails: {
"client_id" : !Ref GoogleClientId,
"client_secret": !Ref GoogleClientSecret,
"authorize_scopes": "openid profile email",
}
ProviderName: Google
ProviderType: Google
UserPoolId: !Ref ScreenshotUserPool
...
I don’t want to keep the Google secret in the clear, I have it in the .env file.
I found an option with parameters, but I don’t want to re-enter the parameters with each deployment, is there a way to automatically pull the variable from the environment?
thanks to all
答案1
得分: 1
这取决于您当前的部署流程。
对于本地开发,使用 .env 环境是最好的选择。
对于部署,您可以使用 AWS Secrets Manager 检索敏感信息(特别是使用 get-secret-value),然后使用 parameter-overrides 标志和 sam deploy 进行传递。
您可以将这些步骤放入一个 bash 脚本中,在准备部署时执行。以下是一个示例伪代码。
# deploy.sh 文件
# 从 AWS Secrets Manager 检索密钥
# 如果您存储为 JSON,可以使用 jq 提取具体信息
GOOGLE_CLIENT_SECRET=$(aws secretsmanager get-secret-value --secret-id MyGoogleClientSecret --output text)
# 构建
sam build
# 部署
sam deploy \
--stack-name {STACK_NAME} \
--parameter-overrides GoogleClientSecret=$GOOGLE_CLIENT_SECRET \
--no-confirm-changeset
注意 --no-confirm-changeset 将导致无需确认的部署,请谨慎使用。
英文:
This depends on your current deployment process.
For local development using the .env environment is your best bet though.
For deployments you can use AWS Secrets Manager to retrieve the sensitive information (specifically using get-secret-value) and pass it in using the parameter-overrides flag with sam deploy.
You can wrap this up in a bash script and have that be executed when you're ready for a deployment, the below is just an example pseudocode.
# deploy.sh file
# retrieve secret from AWS Secrets Manager
# you can use jq to extract specifics if you're storing a JSON
GOOGLE_CLIENT_SECRET=$(aws secretsmanager get-secret-value --secret-id MyGoogleClientSecret --output text)
# build
sam build
# deploy
sam deploy \
--stack-name {STACK_NAME} \
--parameter-overrides GoogleClientSecret=$GOOGLE_CLIENT_SECRET \
--no-confirm-changeset
Note --no-confirm-changeset will result in a deployment without the prompt to confirm, use cautious.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论