使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Using Secret Manager to hold cloudfront public key

-1

Hi, I was trying to use the CDK to initialize my cloudfront distribution. I wanted to move away from hard coding secrets in my CDK file and my cloudfront lambda, so I thought it'd be best to put both the public key and private key into the AWS secret manager, and then read them out from there. Here is how I am trying to set up the cloudfront distribution.

            cf_public_key=sm.Secret.from_secret_complete_arn(self, "CFPublicKey", "arn:aws:secretsmanager:us-west-2:<ARN>")
            cf_public_key_value=cf_public_key.secret_value_from_json("CFPublicKey").unsafe_unwrap()
            pub_key=cloudfront.PublicKey(self, "PubKey", encoded_key=cf_public_key_value)
            key_group=cloudfront.KeyGroup(self, "KeyGroup", items=[pub_key])

This fails during deployment... Should I put the public key in SSM parameter store instead, and the keep the private key in secret manager? Thx

  • Gary Mclean 專家
    10 個月前

    What’s the error you are receiving?

  • rrrpdx
    10 個月前

    Here was the errror:

    11:17:16 PM | UPDATE_FAILED | AWS::CloudFront::PublicKey | PubKeyB78B0EBC Resource handler returned message: "Invalid request provided: AWS::CloudFront::PublicKey" (RequestToken: 1f556dd6-614f-f8c3-43c2 -5c86ae9db53a, HandlerErrorCode: InvalidRequest)

主題
無伺服器運算網路與內容交付安全性、身分識別與合規管理與治理AWS 雲端開發套件 (CDK)
標籤
AWS LambdaAmazon CloudFrontAWS Secrets Manager參數存放區AWS 雲端開發套件 (CDK)
語言
English
rrrpdx
已提問 10 個月前檢視次數 772 次
2 個答案
0

Hi, this blog post gives you all detailled information about what you want to achieve and how to implement it: https://aws.amazon.com/blogs/networking-and-content-delivery/securing-and-accessing-secrets-from-lambdaedge-using-aws-secrets-manager/

profile pictureAWS
專家
Didier_Durand
已回答 10 個月前
0

I think my issue may revolve around how to properly store the key in the secrets manager... Initially, I had the public key hardcoded in a python string and it was of the form:

public_key="-----BEGIN PUBLIC KEY----- \n...\n...\n...\n...\n...\n ...\n...\n-----END PUBLIC KEY-----"

where I had to insert \n newlines at the end of every line as I copied it from the .pem file. The hardcoded string works with the CDK. I tried placing this exact format in secrets manager and it didn't work (with the above error)... I also tried this format with SSM Parameter store, and it did not work... With SSM Parameter store, I was able to go back and paste the key in as a multiline string (where the breaks are seen at the end of each line)... If I try to do this in secrets manager, the line breaks are converted to spaces, and the key is no longer valid. I believe when i removed the spaces, the key also does not work.

rrrpdx
已回答 10 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容