问题描述

我有一个使用MongoDB的Java应用程序(或者它可以是任何类似的服务).在启动时，该应用程序将创建与数据库的单例连接.为了进行连接，我从AWS Secrets Manager获得了MongoDB ...因此与MongoDB进行通信之后，该应用程序就会运行得很愉快.

I have a Java application using MongoDB (or it could be any service like that). On start up, the app creates a singleton connection to database. To connect, I get the MongoDB from AWS Secrets Manager... and thus the application runs merrily ever after communicating with MongoDB.

我的问题是:当AWS Secrets Manager旋转键时会发生什么?

My question is: What happens when AWS Secrets Manager rotates keys?

• 我的应用程序如何知道"秘密已被旋转.
• 我是否必须在Secrets Manager和我的应用之间同步时间?

例如轮播设置为7天.因此，我在应用程序中编写代码每隔7天刷新一次……不好，因为很难精确计时.

e.g. rotation is set to 7 days. So I code in my app to refresh every 7 days... not good, as very hard to time precisely.

另一种方法是，如果我的应用程序遇到身份验证异常，则只需刷新密码并建立新的连接，然后重试应用程序逻辑即可.

Another way could be, if my app faces authentication exception, just refresh password and make a new connection and retry app logic.

什么是行业标准?

推荐答案

通常使用两种策略之一来解决此问题，或者使用秘密管理器说，方法是使用单用户轮换或多用户轮换.Secrets Manager为单提供了lambda实现.a>和多用户旋转的MongoDB.

This is generally dealt with using one of two strategies, or in Secrets Manager speak, by using single user rotation or multi user rotation. Secrets Manager provides lambda implementations for both single and multi user rotations of MongoDB.

在单用户轮换中，有一对数据库用户/密码.在轮换期间，可以使用原始用户/密码或通过获取主用户凭据并使用这些凭据来更新密码来更新密码.在这种情况下，使用旧凭据建立的任何连接在旋转后都会失败.为了解决这个问题，应用程序将使用连接管理器，该管理器检测到身份验证错误(或所有错误(如果需要))，并在重试之前刷新机密.这是秘密管理器提供的JDBC包装器所使用的策略.

In single user rotation there is one DB user/password pair. During rotation the password is updated either using the original user/password or by fetching the master user creds and using those to update the password. In this case any connections established using the old creds would fail after rotation. To deal with this the application would use a connection manager that detected an authentication error (or all errors if necessary) and refreshes the secret before retrying. This is the strategy used by the Secrets Manager provided JDBC wrapper.

另一种选择(多用户轮换)是从原始密码中读取用户名，然后在第一次轮换中，使用主用户密码使用新密码创建该用户的克隆.之后，轮换包括在原始副本和克隆副本之间交替使用秘密用户/密码对并更新密码.在这种情况下，应用程序仅需要在轮换间隔中刷新一次机密.如果使用的是旧的用户名/密码对，它将在两个旋转间隔内保持有效.

The other alternative (multi user rotation) is to read the user name from the original secret, and then, on the first rotation, create a clone of that user with a new password using the master user secret. After that rotation consists of alternating the secret user/password pair between the original and clone and updating the password. In this case the application only needs to refresh the secret once in the rotation interval. If it is using the old user/password pair, it will remain valid for two rotation intervals.

如果您在AWS上使用MongoDB(与具有Mongo兼容性的DocumentDB并置)，最简单的方法是启动一个临时DocumentDB并使用Secrets Manager控制台对其进行轮换设置.然后在关闭DocumentDB实例之前，复制用于Mongo应用程序的Lambda，角色和策略以及机密信息.如果您已经在使用DocumentDB，则如前所述，只需使用SecretsManager控制台进行设置即可.

If you are using MongoDB on AWS (as apposed to DocumentDB with Mongo compatability), the easiest thing to do is spin up a temporary DocumentDB and use the Secrets Manager console to setup rotation on that. Then copy the Lambdas, roles and policies, and secrets used there for your Mongo application before tearing down the DocumentDB instance. If you are already using DocumentDB then as mentioned just use the SecretsManager console to set it up.

这篇关于如何使用由AWS Secrets Manager的密钥轮换创建的新机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！