希望使用AWS Secrets管理器登录postgres而不使用用户名和密码作为纯文本。我不确定这是否可行,如果没有,请原谅我。目前这是我使用psycopg2登录postgres时使用的:
import psycopg2
conn = psycopg2.connect(host="hostname",port='5432',database="db", user="admin", password="12345")
我已经在密码管理器中存储了用户名和密码,但不知道如何在这里使用它。请帮忙
您应该使用以下过程:
下面是amazon提供的示例python脚本:
import boto3
import base64
from botocore.exceptions import ClientError
def get_secret():
secret_name = "<<{{MySecretName}}>>"
region_name = "<<{{MyRegionName}}>>"
# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name=region_name
)
# In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
# See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
# We rethrow the exception by default.
try:
get_secret_value_response = client.get_secret_value(
SecretId=secret_name
)
except ClientError as e:
if e.response['Error']['Code'] == 'DecryptionFailureException':
# Secrets Manager can't decrypt the protected secret text using the provided KMS key.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InternalServiceErrorException':
# An error occurred on the server side.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidParameterException':
# You provided an invalid value for a parameter.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidRequestException':
# You provided a parameter value that is not valid for the current state of the resource.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'ResourceNotFoundException':
# We can't find the resource that you asked for.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
else:
# Decrypts secret using the associated KMS CMK.
# Depending on whether the secret is a string or binary, one of these fields will be populated.
if 'SecretString' in get_secret_value_response:
secret = get_secret_value_response['SecretString']
else:
decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])
# Your code goes here.
您可以使用控制台将凭据(用户名/密码)存储在SecretsManager中。您可以将它们存储为键值对,例如 -
{ "username": "admin", "password": "12345" }
要在Python脚本中使用它,您可以执行以下操作 -
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region=< region_name >
)
secret = client.get_secret_value(
SecretId=secret_name
)
secret_dict = json.loads(secret['SecretString'])
username = secret_dict['username']
passw = secret_dict['password']
conn = psycopg2.connect(host="hostname",port='5432',database="db", user=username, password=passw)
请注意,这是一个没有错误处理的简化示例。您还需要在示例中填写右侧区域来代替<region_name>。
在连接中使用秘密值之前,需要从Secrets Manager中检索它们。
AWS提供了使用Python here从Secrets Manager检索秘密的参考代码。