AWS Secrets Manager
在将 AWS Secrets Manager 用作后端时,您可以通过将配置放入 /application/ 或将其放入应用程序的 default 个人资料中,与所有应用程序共享配置。例如,如果您添加具有以下密钥的秘密,那么使用配置服务器的所有应用程序都将可以使用属性 shared.foo 和 shared.bar:
When using AWS Secrets Manager as a backend, you can share configuration with all applications by placing configuration in /application/ or by placing it in the default profile for the application.
For example, if you add secrets with the following keys, all application using the config server will have the properties shared.foo and shared.bar available to them:
secret name = /secret/application-default/secret value =
{
shared.foo: foo,
shared.bar: bar
}或
or
secret name = /secret/application/secret value =
{
shared.foo: foo,
shared.bar: bar
}Labelled Versions
AWS Secrets Manager 仓库允许对配置环境进行版本标记,就像 Git 后端一样。
AWS Secrets Manager repository allows to keep labelled versions of the configuration environments the same way Git backend does.
存储库实现将 HTTP 资源的 `{label}`参数映射到 AWS Secrets Manager secret’s staging label。要创建带标签的密钥,请创建一个密钥或更新其内容并为其定义一个分段标签(在 AWS 文档中,它有时被称为版本阶段)。例如:
The repository implementation maps the {label} parameter of the HTTP resource to AWS Secrets Manager secret’s staging label. To create a labelled secret, create a secret or update its content and define a staging label for it (sometimes it’s called version stage in the AWS documentation). For example:
$ aws secretsmanager create-secret \
--name /secret/test/ \
--secret-string '{"version":"1"}'
{
"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:/secret/test/-a1b2c3",
"Name": "/secret/test/",
"VersionId": "cd291674-de2f-41de-8f3b-37dbf4880d69"
}
$ aws secretsmanager update-secret-version-stage \
--secret-id /secret/test/ \
--version-stage 1.0.0 \
--move-to-version-id cd291674-de2f-41de-8f3b-37dbf4880d69
{
"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:/secret/test/-a1b2c3",
"Name": "/secret/test/",
}使用 spring.cloud.config.server.aws-secretsmanager.default-label 属性设置默认标签。如果未定义该属性,则后端会使用 AWSCURRENT 作为中期标记。
Use spring.cloud.config.server.aws-secretsmanager.default-label property to set the default label. If the property is not defined, the backend uses AWSCURRENT as a staging label.
spring:
profiles:
active: aws-secretsmanager
cloud:
config:
server:
aws-secretsmanager:
region: us-east-1
default-label: 1.0.0请注意,如果未设置默认标签,并且请求未定义标签,则该仓库将使用秘密,就像禁用了标记版本支持一样。此外,仅在启用标记支持时才会使用默认标签。否则,定义此属性毫无意义。
Note that if the default label is not set and a request does not define a label, the repository will use secrets as if labelled version support is disabled. Also, the default label will be used only if the labelled support is enabled. Otherwise, defining this property is pointless.
请注意,如果中期标记包含斜杠 (/),那么 HTTP URL 中的标签应该用特殊字符串 ({special-string}) 代替(为避免与其他 URL 路径混淆),就像 [Git 后端的章节 _git_backend] 所描述的那样。
Note that if the staging label contains a slash (/), then the label in the HTTP URL should instead be specified with the special string ({special-string}) (to avoid ambiguity with other URL paths) the same way _git_backend describes it.
使用 spring.cloud.config.server.aws-secretsmanager.ignore-label 属性来忽略 HTTP 资源的 {label} 参数以及 spring.cloud.config.server.aws-secretsmanager.default-label 属性。该仓库将使用秘密,就像禁用了标记版本支持一样。
Use spring.cloud.config.server.aws-secretsmanager.ignore-label property to ignore the {label} parameter of the HTTP resource as well as spring.cloud.config.server.aws-secretsmanager.default-label property. The repository will use secrets as if labelled version support is disabled.
spring:
profiles:
active: aws-secretsmanager
cloud:
config:
server:
aws-secretsmanager:
region: us-east-1
ignore-label: true