问题描述
目前我正在使用 Terraform 和 Aws Secrets Manager 来存储和检索机密,我想了解一下我的实施是否安全,如果不安全,我该如何使其更安全.让我用我的尝试来说明.
Currently I am using Terraform and Aws Secrets Manager to store and retrieve secrets, and I would like to have some insight if my implementation is secure, and if not how can I make it more secure. Let me illustrate with what I have tried.
在 secrets.tf
我创建了一个类似的秘密(这需要通过定位来实现):
In secrets.tf
I create a secret like (this needs to be implemented with targeting):
resource "aws_secretsmanager_secret" "secrets_of_life" {
name = "top-secret"
}
然后我转到控制台并在 AWS Secrets manager 中手动设置密钥.
I then go to the console and manually set the secret in AWS Secrets manager.
然后我检索 secrets.tf
中的秘密,例如:
I then retrieve the secrets in secrets.tf
like:
data "aws_secretsmanager_secret_version" "secrets_of_life_version" {
secret_id = aws_secretsmanager_secret.secrets_of_life.id
}
locals {
creds = jsondecode(data.aws_secretsmanager_secret_version.secrets_of_life.secret_string)
}
然后我继续使用秘密(例如将它们导出为 K8s 秘密),例如:
And then I proceed to use the secret (export them as K8s secrets for example) like:
resource "kubernetes_secret" "secret_credentials" {
metadata {
name = "kubernetes_secret"
namespace = kubernetes_namespace.some_namespace.id
}
data = {
top_secret = local.creds["SECRET_OF_LIFE"]
}
type = "kubernetes.io/generic"
}
值得一提的是,我远程存储了 tf state
.我的实施安全吗?如果没有,我怎样才能使它更安全?
It's worth mentioning that I store tf state
remotely. Is my implementation secure? If not, how can I make it more secure?
推荐答案
是的,我可以确认它是安全的,因为您完成了以下操作:
yes I can confirm it is secure since you accomplished the following:
- 您的代码中的纯文本秘密.
- 您的机密存储在一个专用的机密存储中,该存储执行加密和严格的访问控制.
- 一切都在代码本身中定义.不需要额外的手动步骤或包装脚本.
- 秘密经理支持轮换秘密,这在秘密被泄露时很有用.
我唯一想知道的是使用支持像 s3 这样的加密的 Terraform 后端,并避免将状态文件添加到源代码管理中.
The only thing I can wonder about is using a Terraform backend that supports encryption like s3, and avoid commet the state file to your source control.
这篇关于如何确保我的机密检索是安全的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!