托管和保护凭据
- 示例: DB 管理员创建凭据 MySecret,并指定版本 MyVersion1,将数据库连接信息交由 SSM 加密存储。未指定 KMS 密钥时,SSM 将自动创建一个默认密钥。
var (
secretName = "MySecret1"
version = "MyVersion1"
plainText = "user:password@tcp(127.0.0.1:3306)/test"
)
func ExampleCreateSecret() {
credential := common.NewCredential(
secretId,
secretKey,
)
cpf := profile.NewClientProfile()
cpf.HttpProfile.Endpoint = endpoint
client, _ := ssm.NewClient(credential, region, cpf)
request := ssm.NewCreateSecretRequest()
request.SecretName = &secretName
request.VersionId = &version
request.SecretString = &plainText
resp, err := client.CreateSecret(request)
if err != nil {
// error handler
}
fmt.Println(*resp.Response.SecretName)
// create ok
}
查看凭据元数据信息
示例1: 获取凭据列表和凭据元数据信息。
func ExampleListSecrets() { credential := common.NewCredential( secretId, secretKey, ) cpf := profile.NewClientProfile() cpf.HttpProfile.Endpoint = endpoint client, _ := ssm.NewClient(credential, region, cpf) request := ssm.NewListSecretsRequest() resp, err := client.ListSecrets(request) if err != nil { // error handler } fmt.Println(resp.Response.SecretMetadatas) // get secrets metadata // ... }示例2:根据名称获取凭据MySecret1的版本信息
var ( secretName = "MySecret1" ) func ExampleListSecretVersionIds() { credential := common.NewCredential( secretId, secretKey, ) cpf := profile.NewClientProfile() cpf.HttpProfile.Endpoint = endpoint client, _ := ssm.NewClient(credential, region, cpf) request := ssm.NewListSecretVersionIdsRequest() request.SecretName = &secretName resp, err := client.ListSecretVersionIds(request) if err != nil { // error handler } fmt.Println(resp.Response.Versions) // get version list // ... }
获取 SSM 存储的明文敏感数据
- 示例:服务调用方根据凭据名称 MySecret1 和指定版本 MyVersion1 获取 DB 连接明文信息。
var (
secretName = "MySecret1"
version = "MyVersion1"
)
func ExampleGetSecretValue() {
credential := common.NewCredential(
secretId,
secretKey,
)
cpf := profile.NewClientProfile()
cpf.HttpProfile.Endpoint = endpoint
client, _ := ssm.NewClient(credential, region, cpf)
request := ssm.NewGetSecretValueRequest()
request.VersionId = &version
request.SecretName = &secretName
resp, err := client.GetSecretValue(request)
if err != nil {
// error handler
}
fmt.Println(*resp.Response.SecretString)
// get plain text, connect db
// ...
}
更新凭据内容
- 示例:根据凭据名称 MySecret1 和指定版本 MyVersion1 更新 DB 连接明文信息。
var (
secretName = "MySecret1"
version = "MyVersion1"
newSecretValue = "user2:password2@tcp(127.0.0.1:3306)/test"
)
func ExamplePutSecretValue() {
credential := common.NewCredential(
secretId,
secretKey,
)
cpf := profile.NewClientProfile()
cpf.HttpProfile.Endpoint = endpoint
client, _ := ssm.NewClient(credential, region, cpf)
request := ssm.NewPutSecretValueRequest()
request.SecretName = &secretName
request.VersionId = &version
request.SecretString = &newSecretValue
resp, err := client.PutSecretValue(request)
if err != nil {
// error handler
}
fmt.Println(*resp.Response.SecretName)
// secret updated
// ...
}
禁用、删除和恢复凭据
示例1:禁用凭据,禁用后服务无法再获取此凭据存储的所有内容。
var ( secretName = "MySecret1" ) func ExampleDisableSecret() { credential := common.NewCredential( secretId, secretKey, ) cpf := profile.NewClientProfile() cpf.HttpProfile.Endpoint = endpoint client, _ := ssm.NewClient(credential, region, cpf) request := ssm.NewDisableSecretRequest() request.SecretName = &secretName resp, err := client.DisableSecret(request) if err != nil { // error handler } fmt.Println(*resp.Response.SecretName) // secret disabled // ... }示例2:删除凭据,可以设置计划删除时间,在计划删除时间前,可以恢复凭据。
说明:
只有禁用后的凭据才能删除。
func ExampleDeleteSecret() { credential := common.NewCredential( secretId, secretKey, ) cpf := profile.NewClientProfile() cpf.HttpProfile.Endpoint = endpoint client, _ := ssm.NewClient(credential, region, cpf) request := ssm.NewDeleteSecretRequest() request.SecretName = &secretName request.RecoveryWindowInDays = &recoverWindowsInDays resp, err := client.DeleteSecret(request) if err != nil { // error handler } fmt.Println(*resp.Response.DeleteTime) // secret deleted // ... }示例3:恢复凭据,处于计划删除状态的凭据可以重新恢复并启用。
func ExampleRestoreSecret() { credential := common.NewCredential( secretId, secretKey, ) cpf := profile.NewClientProfile() cpf.HttpProfile.Endpoint = endpoint client, _ := ssm.NewClient(credential, region, cpf) request := ssm.NewRestoreSecretRequest() request.SecretName = &secretName resp, err := client.RestoreSecret(request) if err != nil { // error handler } fmt.Println(*resp.Response.SecretName) // secret restored // ... }