AWS Secrets Manager 機密資料的 JSON 結構 - AWS Secrets Manager
Amazon RDS Db2 秘密結構Amazon RDS MariaDB 機密結構Amazon RDS 和 Amazon Aurora MySQL 的秘密結構Amazon RDS Oracle 機密結構Amazon RDS 和 Amazon Aurora PostgreSQL 的秘密結構Amazon RDS Microsoft SQLServer 機密結構Amazon DocumentDB 機密結構Amazon Redshift 機密結構Amazon Redshift 無服務器秘密結構Amazon ElastiCache 秘密結構活動目錄秘密結構

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

AWS Secrets Manager 機密資料的 JSON 結構

您可以透過 Secrets Manager 機密存放任何文字或二進位檔案。如果要為 Secrets Manager 機密開啟自動輪換,則機密必須在正確的 JSON 結構中。在輪換期間,Secrets Manager 會使用機密中的資訊連線至憑證來源,並更新其中的憑證。JSON 金鑰名稱區分大小寫。

請注意,當您使用主控台儲存資料庫機密時,Secrets Manager 會自動在正確的 JSON 結構中建立機密。

您可以將更多金鑰/值對新增至機密,例如在資料庫機密中,包含其他區域中複本資料庫的連線資訊。

Amazon RDS Db2 秘密結構

對於 Amazon RDS Db2 執行個體,因為使用者無法變更自己的密碼,因此必須使用單獨的密碼來提供管理員登入資料。

{
  "engine": "db2",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": <TCP port number. If not specified, defaults to 3306>,
  "masterarn": "<the ARN of the elevated secret>"
}

Amazon RDS MariaDB 機密結構

{
  "engine": "mariadb",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": <TCP port number. If not specified, defaults to 3306>
}

若要使用輪換策略:交替使用者,請包含包含管理員或超級使用者認證的密碼。masterarn

{
  "engine": "mariadb",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": <TCP port number. If not specified, defaults to 3306>,
  "masterarn": "<the ARN of the elevated secret>"
}

Amazon RDS 和 Amazon Aurora MySQL 的秘密結構

{
  "engine": "mysql",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": <TCP port number. If not specified, defaults to 3306>
}

若要使用輪換策略:交替使用者,請包含包含管理員或超級使用者認證的密碼。masterarn

{
  "engine": "mysql",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": <TCP port number. If not specified, defaults to 3306>,
  "masterarn": "<the ARN of the elevated secret>"
}

Amazon RDS Oracle 機密結構

{
  "engine": "oracle",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<required: database name>",
  "port": <optional: TCP port number. If not specified, defaults to 1521>
}

若要使用輪換策略:交替使用者,請包含包含管理員或超級使用者認證的密碼。masterarn

{
  "engine": "oracle",
  "host": "<required: instance host name/resolvable DNS name>",
  "username": "<required: username>",
  "password": "<required: password>",
  "dbname": "<required: database name>",
  "port": <optional: TCP port number. If not specified, defaults to 1521>,
  "masterarn": "<the ARN of the elevated secret>"
}

Amazon RDS 和 Amazon Aurora PostgreSQL 的秘密結構

{
  "engine": "postgres",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to 'postgres'>",
  "port": <TCP port number. If not specified, defaults to 5432>
}

若要使用輪換策略:交替使用者,請包含包含管理員或超級使用者認證的密碼。masterarn

{
  "engine": "postgres",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to 'postgres'>",
  "port": <TCP port number. If not specified, defaults to 5432>,
  "masterarn": "<the ARN of the elevated secret>"
}

Amazon RDS Microsoft SQLServer 機密結構

{
  "engine": "sqlserver",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to 'master'>",
  "port": <TCP port number. If not specified, defaults to 1433>
}

若要使用輪換策略:交替使用者,請包含包含管理員或超級使用者認證的密碼。masterarn

{
  "engine": "sqlserver",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to 'master'>",
  "port": <TCP port number. If not specified, defaults to 1433>,
  "masterarn": "<the ARN of the elevated secret>"
}

Amazon DocumentDB 機密結構

{
  "engine": "mongo",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": <TCP port number. If not specified, defaults to 27017>,
  "ssl": <true|false. If not specified, defaults to false>
}

若要使用輪換策略:交替使用者,請包含包含管理員或超級使用者認證的密碼。masterarn

{
  "engine": "mongo",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": <TCP port number. If not specified, defaults to 27017>,
  "masterarn": "<the ARN of the elevated secret>",
  "ssl": <true|false. If not specified, defaults to false>
}

Amazon Redshift 機密結構

{
  "engine": "redshift",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": <TCP port number. If not specified, defaults to 5439>
}

若要使用輪換策略:交替使用者,請包含包含管理員或超級使用者認證的密碼。masterarn

{
  "engine": "redshift",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "port": <TCP port number. If not specified, defaults to 5439>,
  "masterarn": "<the ARN of the elevated secret>"
}

Amazon Redshift 無服務器秘密結構

{
  "engine": "redshift",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "namespaceName": <namespace name>,
  "port": <TCP port number. If not specified, defaults to 5439>
}

若要使用輪換策略:交替使用者,請包含包含管理員或超級使用者認證的密碼。masterarn

{
  "engine": "redshift",
  "host": "<instance host name/resolvable DNS name>",
  "username": "<username>",
  "password": "<password>",
  "dbname": "<database name. If not specified, defaults to None>",
  "namespaceName": <namespace name>,
  "port": <TCP port number. If not specified, defaults to 5439>,
  "masterarn": "<the ARN of the elevated secret>"
}

Amazon ElastiCache 秘密結構

{
  "password": "<password>",
  "username": "<username>" 
  "user_arn": "ARN of the Amazon EC2 user"
}

如需詳細資訊,請參閱 Amazon ElastiCache 使用者指南中的自動輪替使用者的密碼

活動目錄秘密結構

AWS Directory Service 使用密碼來儲存使用中目錄認證。如需詳細資訊,請參閱管理指南中的將 Amazon EC2 Linux 執行個體無縫加入受管 AD 活動目錄。AWS Directory Service 無縫網域加入需要下列範例中的金鑰名稱。如果您不使用無縫網域加入,您可以使用環境變數來變更密碼中金鑰的名稱,如循環函數範本程式碼所述。

要旋轉活動目錄密碼,您可以使用活動目錄輪換模板

活動目錄憑證密鑰結構

{
  "awsSeamlessDomainUsername": "<username>",
  "awsSeamlessDomainPassword": "<password>"
}

如果您想要旋轉密碼,請包含網域目錄 ID。

{
  "awsSeamlessDomainDirectoryId": "d-12345abc6e",
  "awsSeamlessDomainUsername": "<username>",
  "awsSeamlessDomainPassword": "<password>"
}

如果密碼與包含索引鍵標籤的密碼結合使用,您可以包含金鑰標籤密碼 ARN。

{
  "awsSeamlessDomainDirectoryId": "d-12345abc6e",
  "awsSeamlessDomainUsername": "<username>",
  "awsSeamlessDomainPassword": "<password>",
  "directoryServiceSecretVersion": 1,
  "schemaVersion": "1.0",
  "keytabArns": [
    "<ARN of child keytab secret 1>,
    "<ARN of child keytab secret 2>,
    "<ARN of child keytab secret 3>,
  ],
  "lastModifiedDateTime": "2021-07-19 17:06:58"
}

活動目錄密鑰標籤密鑰結構

如需使用金鑰索引標籤檔案對 Amazon EC2 上的使用中目錄帳戶進行驗證的相關資訊,請參閱在 Amazon Linux 2 上使用 SQL Server 2017 部署和設定使用中目錄身份驗證

{
  "awsSeamlessDomainDirectoryId": "d-12345abc6e",
  "schemaVersion": "1.0",
  "name": "< name>",
  "principals": [
    "aduser@MY.EXAMPLE.COM",
    "MSSQLSvc/test:1433@MY.EXAMPLE.COM"
  ],
  "keytabContents": "<keytab>",
  "parentSecretArn": "<ARN of parent secret>",
  "lastModifiedDateTime": "2021-07-19 17:06:58"
  "version": 1
}