将AWS Secrets Manager与Python结合使用(Lambda控制台)
我正在尝试在AWS中使用Secrets Manager的Lambda函数.管理员的秘密用于将数据库凭据存储到Snowflake(用户名,密码).
I am attempting to use Secrets Manager a Lambda function in AWS. Secrets a manager is used to store database credentials to Snowflake (username, password).
我设法在Secrets Manager中设置了一个秘密,其中包含几个键/值对(例如,一个用于用户名,另一个用于密码).
I managed to set up a secret in Secrets Manager which contains several key/value pairs (e.g. one for username, another for password).
现在,我试图在我的Python函数代码中引用这些值. AWS文档请提供以下代码段:
Now I am trying to refer to these values in my Python function code. AWS documentation kindly provides the following snippet:
import boto3
import base64
from botocore.exceptions import ClientError
def get_secret():
secret_name = "MY/SECRET/NAME"
region_name = "us-west-2"
# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name=region_name
)
# In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
# See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
# We rethrow the exception by default.
try:
get_secret_value_response = client.get_secret_value(
SecretId=secret_name
)
except ClientError as e:
if e.response['Error']['Code'] == 'DecryptionFailureException':
# Secrets Manager can't decrypt the protected secret text using the provided KMS key.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InternalServiceErrorException':
# An error occurred on the server side.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidParameterException':
# You provided an invalid value for a parameter.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidRequestException':
# You provided a parameter value that is not valid for the current state of the resource.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'ResourceNotFoundException':
# We can't find the resource that you asked for.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
else:
# Decrypts secret using the associated KMS CMK.
# Depending on whether the secret is a string or binary, one of these fields will be populated.
if 'SecretString' in get_secret_value_response:
secret = get_secret_value_response['SecretString']
else:
decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])
# Your code goes here.
稍后,在我的def lambda_handler(event, context)函数中,我具有以下代码段可建立与数据库的连接:
Later in my def lambda_handler(event, context) function, I have the following snippet to establish a connection to my database:
conn = snowflake.connector.connect(
user=USERNAME,
password=PASSWORD,
account=ACCOUNT,
warehouse=WAREHOUSE,
role=ROLE
)
但是,我无法弄清楚如何使用get_secret()函数返回诸如USERNAME或PASSWORD之类的参数的值.
However, I am unable to figure out how to use the get_secret() function to return values for parameters like USERNAME or PASSWORD.
如何实现?谢谢您的帮助!
How can this be accomplished? Thank you for the help!
将get_secret()的最后一部分更新为:
update the last part of get_secret() to:
else:
# Decrypts secret using the associated KMS CMK.
# Depending on whether the secret is a string or binary, one of these fields will be populated.
if 'SecretString' in get_secret_value_response:
secret = get_secret_value_response['SecretString']
else:
secret = base64.b64decode(get_secret_value_response['SecretBinary'])
return json.loads(secret) # returns the secret as dictionary
这将返回一个字典,您将在其中拥有在AWS Secret Manager控制台中指定的键.
This will return a dictionary where you'll have the keys you specified in AWS Secret Manager console.