附註:

Migrate Secrets from AWS Secrets Manager to Oracle Cloud Infrastructure Secrets in Vault

簡介

將加密密碼從 Amazon Web Services (AWS) 移轉至 Oracle Cloud Infrastructure (OCI) 的優點:

OCI 保存庫中支援的加密密碼類型

目標

必要條件

將加密密碼從 AWS 移轉至 OCI

  1. 擷取及檢視 AWS 加密密碼。若要從 AWS 移轉加密密碼,請先確定您有要傳輸的加密密碼清單。在此範例中,我們移轉了兩個加密密碼:awssecret4awssecret5

    「編輯」按鈕

    下列螢幕擷取畫面顯示移轉前 AWS 加密密碼管理員中的加密密碼。

    「編輯」按鈕

    「編輯」按鈕

  2. 在 OCI 中建立保存庫和加密金鑰。若要設定加密密碼的 OCI 保存庫和金鑰,請參閱建立主要加密金鑰

    「編輯」按鈕

    「編輯」按鈕

  3. 使用 Python 命令檔移轉加密密碼。將下列 Python 命令檔下載並儲存為 aws_to_oci_secret_migration.py。此命令檔會自動化擷取 AWS 加密密碼並將其儲存在 OCI 保存庫中的處理作業。

    注意:將預留位置 (例如 your_aws_secret1your_aws_regionyour_oci_vault_id 等) 取代為實際值。指定的前置碼將用於在保存庫中建立加密密碼,以協助隔離使用命令檔建立加密密碼。

    Script:

    import boto3  # AWS SDK to interact with AWS services
    import oci  # OCI SDK to interact with Oracle Cloud
    import base64  # To handle base64 encoding
    from botocore.exceptions import ClientError  # For handling errors with AWS
    
    # AWS configuration
    AWS_SECRET_NAMES = ["your_aws_secret1", "your_aws_secret2"]  # List of AWS secrets to migrate
    AWS_REGION = "your_aws_region"  # AWS region where the secrets are stored
    
    # OCI configuration
    VAULT_ID = "your_oci_vault_id"  # OCI Vault ID
    COMPARTMENT_ID = "your_oci_compartment_id"  # OCI Compartment ID
    KEY_ID = "your_oci_key_id"  # OCI Key ID
    OCI_SECRET_NAME_PREFIX = "your_prefix"  # Prefix for the secret names in OCI Vault
    
    def get_aws_secret(secret_name):
        """Retrieve the secret value from AWS Secrets Manager."""
        session = boto3.session.Session()  # Create a session with AWS
        client = session.client(service_name='secretsmanager', region_name=AWS_REGION)  # Create a Secrets Manager client
    
        try:
            # Get the secret value
            get_secret_value_response = client.get_secret_value(SecretId=secret_name)
            secret = get_secret_value_response['SecretString']  # This is the actual secret data
            return secret
        except ClientError as e:
            print(f"Error retrieving secret from AWS: {e}")  # In case something goes wrong
            return None
    
    def create_oci_secret(secret_content, secret_name):
        """Create a new secret in OCI Vault."""
        config = oci.config.from_file()  # This loads your OCI configuration from ~/.oci/config
        vaults_client = oci.vault.VaultsClient(config)  # Use the VaultsClient to create a secret in OCI Vault
    
        # Encode secret content to Base64 format
        secret_content_base64 = base64.b64encode(secret_content.encode('utf-8')).decode('utf-8')  # Proper base64 encoding
    
        try:
            # Creating a new secret in OCI Vault
            create_secret_response = vaults_client.create_secret(
                create_secret_details=oci.vault.models.CreateSecretDetails(
                    vault_id=VAULT_ID,
                    compartment_id=COMPARTMENT_ID,
                    secret_name=secret_name,
                    key_id=KEY_ID,
                    secret_content=oci.vault.models.Base64SecretContentDetails(
                        content=secret_content_base64,  # Base64 encoded content
                        content_type="BASE64"  # Specifying the content type as BASE64
                    ),
                    description="Migrated from AWS Secrets Manager"  # A brief description
                )
            )
            print(f"Secret '{secret_name}' successfully created in OCI Vault.")
        except oci.exceptions.ServiceError as e:
            print(f"Error creating secret in OCI Vault: {e}")  # If something goes wrong
    
    def main():
        # Step 1: Retrieve and migrate secrets from AWS Secrets Manager
        for aws_secret_name in AWS_SECRET_NAMES:
            aws_secret_content = get_aws_secret(aws_secret_name)
    
            if aws_secret_content:
                # Generate OCI secret name based on AWS secret name
                oci_secret_name = f"{OCI_SECRET_NAME_PREFIX}_{aws_secret_name}"
                # Step 2: Create the secret in OCI Vault
                create_oci_secret(aws_secret_content, oci_secret_name)
    
    if __name__ == "__main__":
        main()
    
  4. 儲存命令檔之後,請使用下列命令執行命令檔。

    python3 aws_to_oci_secret_migration.py
    

    「編輯」按鈕

  5. 順利執行命令檔之後,您可以在 OCI 保存庫中驗證新建立的加密密碼。

    「編輯」按鈕

    「編輯」按鈕

接下來的步驟

將加密密碼從 AWS 移轉至 OCI 可協助您簡化作業,特別是將 OCI 運用在其餘的雲端基礎架構上。透過使用 Python 自動化,您可以有效率地傳輸加密密碼,確保加密密碼安全地儲存並符合 OCI 的加密標準。

認可

其他學習資源

探索 docs.oracle.com/learn 上的其他實驗室,或存取 Oracle Learning YouTube 頻道上的更多免費學習內容。此外,請造訪 education.oracle.com/learning-explorer 以成為 Oracle Learning Explorer。

如需產品文件,請造訪 Oracle Help Center