Use secrets manager for api key

2025-02-08 21:36:59 +08:00
parent 48bf360456
commit 4d88731233
4 changed files with 69 additions and 389 deletions
--- a/deployment/BedrockProxyFargate.template
+++ b/deployment/BedrockProxyFargate.template
@@ -1,10 +1,10 @@
 Description: Bedrock Access Gateway - OpenAI-compatible RESTful APIs for Amazon Bedrock
 Transform: AWS::LanguageExtensions
 Parameters:
-  ApiKeyParam:
+  ApiKeySecretName:
    Type: String
    Default: ""
-    Description: The parameter name in System Manager used to store the API Key, leave blank to use a default key
+    Description: The secret name in Secrets Manager used to store the API Key
 Resources:
  VPCB9E5F0B4:
    Type: AWS::EC2::VPC
@@ -139,6 +139,22 @@ Resources:
              - logs:PutLogEvents
            Effect: Allow
            Resource: "*"
+          - Action:
+              - secretsmanager:GetSecretValue
+              - secretsmanager:DescribeSecret
+            Effect: Allow
+            Resource:
+              Fn::Join:
+                - ""
+                - - "arn:"
+                  - Ref: AWS::Partition
+                  - ":secretsmanager:"
+                  - Ref: AWS::Region
+                  - ":"
+                  - Ref: AWS::AccountId
+                  - ":secret:"
+                  - Ref: ApiKeySecretName
+                  - -??????
          - Action:
              - ecr:BatchCheckLayerAvailability
              - ecr:GetDownloadUrlForLayer
@@ -184,23 +200,6 @@ Resources:
            Resource:
              - arn:aws:bedrock:*::foundation-model/*
              - arn:aws:bedrock:*:*:inference-profile/*
-          - Action:
-              - ssm:DescribeParameters
-              - ssm:GetParameters
-              - ssm:GetParameter
-              - ssm:GetParameterHistory
-            Effect: Allow
-            Resource:
-              Fn::Join:
-                - ""
-                - - "arn:"
-                  - Ref: AWS::Partition
-                  - ":ssm:"
-                  - Ref: AWS::Region
-                  - ":"
-                  - Ref: AWS::AccountId
-                  - :parameter/
-                  - Ref: ApiKeyParam
        Version: "2012-10-17"
      PolicyName: ProxyTaskRoleDefaultPolicy933321B8
      Roles:
@@ -221,9 +220,6 @@ Resources:
    Properties:
      ContainerDefinitions:
        - Environment:
-            - Name: API_KEY_PARAM_NAME
-              Value:
-                Ref: ApiKeyParam
            - Name: DEBUG
              Value: "false"
            - Name: DEFAULT_MODEL
@@ -251,6 +247,20 @@ Resources:
            - ContainerPort: 80
              HostPort: 80
              Protocol: tcp
+          Secrets:
+            - Name: API_KEY
+              ValueFrom:
+                Fn::Join:
+                  - ""
+                  - - "arn:"
+                    - Ref: AWS::Partition
+                    - ":secretsmanager:"
+                    - Ref: AWS::Region
+                    - ":"
+                    - Ref: AWS::AccountId
+                    - ":secret:"
+                    - Ref: ApiKeySecretName
+                    - ":api_key::"
      Cpu: "1024"
      ExecutionRoleArn:
        Fn::GetAtt:
@@ -345,6 +355,8 @@ Resources:
      LoadBalancerAttributes:
        - Key: deletion_protection.enabled
          Value: "false"
+        - Key: idle_timeout.timeout_seconds
+          Value: "600"
      Scheme: internet-facing
      SecurityGroups:
        - Fn::GetAtt:
@@ -401,7 +413,9 @@ Resources:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      HealthCheckEnabled: true
+      HealthCheckIntervalSeconds: 60
      HealthCheckPath: /health
+      HealthCheckTimeoutSeconds: 30
      Port: 80
      Protocol: HTTP
      TargetGroupAttributes: