Anyone experienced with `@aws-cdk/aws-secretsmanag...
# helpj
Jett Robin Andres
12/24/2021, 2:27 AMAnyone experienced with
@aws-cdk/aws-secretsmanager Copy code
import { Secret } from '@aws-cdk/aws-secretsmanager'
const dbCredentials = new Secret(this, 'DBCredentialsSecret', {
secretName: 'my-db-credentials',
generateSecretString: {
secretStringTemplate: JSON.stringify({
username,
}),
excludePunctuation: true,
includeSpace: false,
generateStringKey: 'password',
},
}) Copy code
dbCredentials.secretValueFromJson('password').toString()
ECSecret.fromSecretsManager(passwordSecret, 'password') Copy code
{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:732453962214:secret:my-db-credentials-c3Qjjv:SecretString:password::}}Jett Robin Andres
12/24/2021, 2:30 AMI need this exact value specified in here
f
Frank
12/24/2021, 4:29 AM
Hey @Jett Robin Andres, where r u printing out this gibberish value, inside the CDK code?
j
Jett Robin Andres
12/24/2021, 6:30 AMit’s inside my stack @Frank. right after I instantiate my rds and assign my credentials to it
I output it with this
Copy code
new CfnOutput(this, 'Secret Password', {
value: dbCredentials.secretValueFromJson('password').toString(),
})f
Frank
12/24/2021, 7:01 AM
is the stack output showing
{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:732453962214:secret:my-db-credentials-c3Qjjv:SecretString:password::}}j
Jett Robin Andres
12/24/2021, 10:02 AMIt’s displayed on the stack output @Frank (1st pic). Using
console.logj
Joe Kendal
12/24/2021, 8:36 PMHi I have an example I did where I got it working.
https://github.com/joekendal/aws-keystone/blob/06b5833605ee0f68dd2ecf761041ae4e668e5d68/src/compute.ts#L61
Joe Kendal
12/24/2021, 8:37 PM// Session secret
const secret = new Secret(this, 'SessionSecret', {
secretName: 'KeystoneSession',
generateSecretString: {
// change as appropriate...
passwordLength: 32,
},
});
// Task definition
const taskImage: ecs_patterns.ApplicationLoadBalancedTaskImageOptions = {
image: ecs.ContainerImage.fromDockerImageAsset(asset),
// port specified by keystone in Dockerfile
containerPort: 3000,
secrets: {
// required by keystone
SESSION_SECRET: ecs.Secret.fromSecretsManager(secret),
},
environment: {
// pass in aurora connection url
DATABASE_URL: props.dbUrl,
},
}
Joe Kendal
12/24/2021, 8:41 PMJoe Kendal
12/24/2021, 8:42 PM// generate password
const creds = rds.Credentials.fromGeneratedSecret('keystone');
// create aurora cluster
this.cluster = new rds.ServerlessCluster(this, 'KeystoneDatabase', {
engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
parameterGroup: rds.ParameterGroup.fromParameterGroupName(this, 'ParameterGroup', 'default.aurora-postgresql10'),
vpc: props.vpc,
scaling: props.scaling ?? {
autoPause: cdk.Duration.minutes(10),
},
credentials: creds,
subnetGroup: props.subnet,
defaultDatabaseName: props.name,
securityGroups: [props.sg],
});
// set db values
this.username = creds.username
this.password = this.cluster.secret!.secretValueFromJson('password').toString()
this.hostname = this.cluster.clusterEndpoint.hostname
this.port = 5432
}
// construct the postgresql connection url
public getUrl() {
return cdk.Fn.join('', [
'<postgres://'|postgres://'>, this.username, ':', this.password,
'@', this.hostname, ':', this.port.toString(),
'/', this.name, '?connect_timeout=300'
])
}
Joe Kendal
12/24/2021, 8:42 PMLook at the repo if it's not clear how I managed to do it
j
Jett Robin Andres
12/24/2021, 11:33 PMwow, thanks for the help @Joe Kendal! will check this out!
Jett Robin Andres
12/25/2021, 12:05 AMI finally got it to work! It seems like it will always output the gibberish value but I used the ff syntax for my formatted postgres url:
Copy code
dbCredentials.secretValueFromJson('password').toString()j
Joe Kendal
12/25/2021, 5:34 AMI think there may be two methods with secretsmanager in cdk. 1 to output the cfn token, 1 to actually retrieve the plaintext during synth.
Joe Kendal
12/25/2021, 5:35 AM🎄