使用ECS + Fargate在CDK堆栈中使用AWS秘密管理器的机密

Question

我使用TypeScript定义了一个CDK应用程序栈(以下代码中的敏感信息)：

import * as cdk from "@aws-cdk/core";
import * as ec2 from "@aws-cdk/aws-ec2";
import * as ecs from "@aws-cdk/aws-ecs";
import * as ecr from "@aws-cdk/aws-ecr";
import * as ecr_assets from "@aws-cdk/aws-ecr-assets";
import * as ecs_patterns from "@aws-cdk/aws-ecs-patterns";
import * as sm from "@aws-cdk/aws-secretsmanager";

export class CdkAppStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // Create a Docker image and upload it to the Amazon Elastic Container Registry (ECR)
    const dockerImage = new ecr_assets.DockerImageAsset(this, "ApiDockerImage", {
      directory: "/home/ec2-user/environment/node-test"
    });

    // Create a new VPC and NAT Gateway
    const vpc = new ec2.Vpc(this, "ApiVpc", {
      maxAzs: 3 // Default is all AZs in region
    });

    // Create a new Amazon Elastic Container Service (ECS) cluster
    const cluster = new ecs.Cluster(this, "ApiCluster", {
      vpc: vpc
    });

    // Create a load-balanced Fargate service and make it public
    new ecs_patterns.ApplicationLoadBalancedFargateService(this, "ApiFargateService", {
      cluster: cluster, // Required
      cpu: 512, // Default is 256
      desiredCount: 2, // Default is 1
      taskImageOptions: {
        image: ecs.ContainerImage.fromDockerImageAsset(dockerImage),
        containerPort: 8080,
        enableLogging: true,
        secrets: sm.Secret.fromSecretCompleteArn(this, "ImportedSecret", "arn:aws:secretsmanager:ap-south-1:762589711820:secret:/api/production/FrOibp")
      },
      memoryLimitMiB: 2048, // Default is 512
      publicLoadBalancer: true // Default is false
    });
  }
}

使用cdk deploy进行部署是成功的，如果我从taskImageOptions中删除了secrets键，但是在使用secrets时，在尝试部署时会出现以下错误：

ec2-user:~/environment/cdk-app (master) $ cdk deploy
⨯ Unable to compile TypeScript:
lib/cdk-app-stack.ts:42:9 - error TS2322: Type 'ISecret' is not assignable to type '{ [key: string]: Secret; }'.
  Index signature is missing in type 'ISecret'.

42         secrets: secret
           ~~~~~~~

Subprocess exited with error 1

我在这里做了错事，试图利用秘密经理的秘密。在ApplicationLoadBalancedFargateService中引用秘密的正确方法是什么？

Answer 1

这里有两个问题：

1. secrets是索引签名类型。因此，您应该将您的秘密命名为
2. (这是将在容器中公开的环境变量)，希望使用ecs.Secret (可以从一个ecs.Secret创建它)。

以下是一个工作版本：

new ecs_patterns.ApplicationLoadBalancedFargateService(this, "ApiFargateService", {
  cluster: cluster, // Required
  cpu: 512, // Default is 256
  desiredCount: 2, // Default is 1
  taskImageOptions: {
    image: ecs.ContainerImage.fromDockerImageAsset(dockerImage),
    containerPort: 8080,
    enableLogging: true,
    secrets: {
      "MY_SECRET": ecs.Secret.fromSecretsManager( sm.Secret.fromSecretCompleteArn(this, "ImportedSecret", "arn:aws:secretsmanager:ap-south-1:762589711820:secret:/api/production/FrOibp"))
    }
  },
  memoryLimitMiB: 2048, // Default is 512
  publicLoadBalancer: true // Default is false
});