我正在使用CloudFormation创build一个EC2实例。 我想要做的第一件事是签出一个包含puppet清单的git仓库。 为此,我需要一个SSH密钥。
什么是最好的方式来获得关键的服务器? 这是我考虑过的:
UserData属性,但是(尽pipe它是名字)这似乎是错误的地方存储任何types的数据,更不用说敏感数据 这似乎是一件普通的事情,但是我必须寻找错误的东西,因为我找不到合理的答案。
处理这个问题的直接方法是将秘密(如SSH密钥)存储在专用的S3存储桶中,然后让EC2实例访问该存储桶。
您可以从创buildIAMangular色开始:
"DeploymentRole" : { "Type" : "AWS::IAM::Role", "Properties" : { "Policies" : [{ "PolicyName" : "SecretsBucketPolicy", "PolicyDocument" : { "Version" : "2012-10-17", "Statement" : [{ "Resource" : "arn:aws:s3:::wherever-the-secrets-are-stored/*", "Action" : ["s3:GetObject"], "Effect" : "Allow" }] } }], "Path" : "/", "AssumeRolePolicyDocument" : { "Version" : "2012-10-17", "Statement" : [{ "Action" : ["sts:AssumeRole"], "Principal" : {"Service": ["ec2.amazonaws.com"]}, "Effect" : "Allow" }] } } }
这个angular色定义了一个策略,允许它读取秘密桶,并允许EC2承担这个angular色。
然后为此angular色创build一个实例configuration文件:
"DeploymentProfile" : { "Type" : "AWS::IAM::InstanceProfile", "Properties" : { "Roles" : [{"Ref" : "DeploymentRole"}], "Path" : "/" } }
对于您的EC2实例或启动configuration,现在可以使用IamInstanceProfile属性将此configuration文件分配给实例。
秘密的桶应该是可读的。
如果您需要SSH密钥用于OpsWorks cookbooks资料库或应用程序部署,则S3存储桶方法不起作用。
另一个解决scheme是你可以为SSH密钥添加一个CommaDelimitedListtypes的参数,换行符用逗号代替,然后使用Fn::Join将密钥的行重新放回到需要的地方。
示例CloudFormation模板:
{ "Parameters": { "CookbooksDeployKey": { "Type": "CommaDelimitedList", "Description": "Enter the deploy key as CSV (replace newlines with commas)", "NoEcho": true } }, "Resources": { "myStack": { "Type": "AWS::OpsWorks::Stack", "Properties": { "CustomCookbooksSource": { "Type": "git", "Url": "[email protected]:user/repository.git", "Revision": "master", "SshKey": {"Fn::Join": ["\n", {"Ref": "CookbooksDeployKey"}]} } } } } }
要生成私钥文件的单行“CSV”格式化版本,可以使用以下sed命令(这会简单地用逗号replace文件中的所有换行符,并在stdout上返回结果):
sed ':a;N;$!ba;s/\n/,/g' /home/user/.ssh/id_rsa
结果如下所示:
-----BEGIN RSA PRIVATE KEY-----,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,-----END RSA PRIVATE KEY-----
然后,您可以在CloudFormation中创build或更新堆栈时将此值粘贴到参数中。