fix secret access issue

daixba · daixba · commit a6f3e1176b10 · 2025-02-09T06:53:23.000+08:00
diff --git a/README.md b/README.md
@@ -77,6 +77,9 @@ Please follow the steps below to deploy the Bedrock Proxy APIs into your AWS acc
    Description: (Optional) Add a description of your secret
 5. Click "Next" and review all your settings and click "Store"
 
+After creation, you'll see your secret in the Secrets Manager console.  Make note of the secret ARN.
+
+
 **Step 2: Deploy the CloudFormation stack**
 
 1. Sign in to AWS Management Console, switch to the region to deploy the CloudFormation Stack to.
@@ -88,11 +91,11 @@ Please follow the steps below to deploy the Bedrock Proxy APIs into your AWS acc
 3. Click "Next".
 4. On the "Specify stack details" page, provide the following information:
     - Stack name: Change the stack name if needed.
-    - ApiKeySecretName: Enter the secret name you used for storing the API key (e.g., `BedrockProxyAPIKey`). Click "Next".
-5. On the "Configure stack options" page, you can leave the default settings or customize them according to your needs.
-6. Click "Next".
-7. On the "Review" page, review the details of the stack you're about to create. Check the "I acknowledge that AWS CloudFormation might create IAM resources" checkbox at the bottom.
-8. Click "Create stack".
+    - ApiKeySecretArn: Enter the secret ARN you used for storing the API key. 
+   
+   Click "Next".
+5. On the "Configure stack options" page, you can leave the default settings or customize them according to your needs. Click "Next".
+6. On the "Review" page, review the details of the stack you're about to create. Check the "I acknowledge that AWS CloudFormation might create IAM resources" checkbox at the bottom. Click "Create stack".
 
 That is it! 🎉 Once deployed, click the CloudFormation stack and go to **Outputs** tab, you can find the API Base URL from `APIBaseUrl`, the value should look like `http://xxxx.xxx.elb.amazonaws.com/api/v1`.
 
diff --git a/README_CN.md b/README_CN.md
@@ -76,6 +76,7 @@ OpenAI 的 API 或 SDK 无缝集成并试用 Amazon Bedrock 的模型,而无需
 4. 在 "配置密钥" 页面： 密钥名称：输入一个名称（例如："BedrockProxyAPIKey"） 描述：（可选）添加密钥的描述
 5. 点击 "下一步"，检查所有设置后点击 "存储"
 
+创建完成后，您将在 Secrets Manager 控制台中看到您的密钥。请记下密钥的 ARN。
 
 **第二步: 部署CloudFormation堆栈**
 
@@ -88,12 +89,11 @@ OpenAI 的 API 或 SDK 无缝集成并试用 Amazon Bedrock 的模型,而无需
 3. 单击"下一步"。
 4. 在"指定堆栈详细信息"页面,提供以下信息:
     - 堆栈名称: 可以根据需要更改名称。
-    - ApiKeySecretName:输入您用于存储API 密钥的名称(例如"BedrockProxyAPIKey")，否则,请将此字段留空。
-      单击"下一步"。
-5. 在"配置堆栈选项"页面,您可以保留默认设置或根据需要进行自定义。
-6. 单击"下一步"。
-7. 在"审核"页面,查看您即将创建的堆栈详细信息。勾选底部的"我确认，AWS CloudFormation 可能创建 IAM 资源。"复选框。
-8. 单击"创建堆栈"。
+    - ApiKeySecretArn:输入您用于存储API 密钥的ARN。
+    
+   单击"下一步"。
+5. 在"配置堆栈选项"页面,您可以保留默认设置或根据需要进行自定义。 单击"下一步"。
+6. 在"审核"页面,查看您即将创建的堆栈详细信息。勾选底部的"我确认，AWS CloudFormation 可能创建 IAM 资源。"复选框。 单击"创建堆栈"。
 
 仅此而已 🎉 。部署完成后,点击CloudFormation堆栈,进入"输出"选项卡,你可以从"APIBaseUrl"
 中找到API Base URL,它应该类似于`http://xxxx.xxx.elb.amazonaws.com/api/v1` 这样的格式。
diff --git a/deployment/BedrockProxyFargate.template b/deployment/BedrockProxyFargate.template
@@ -1,10 +1,10 @@
 Description: Bedrock Access Gateway - OpenAI-compatible RESTful APIs for Amazon Bedrock
 Transform: AWS::LanguageExtensions
 Parameters:
-  ApiKeySecretName:
+  ApiKeySecretArn:
     Type: String
-    Default: ""
-    Description: The secret name in Secrets Manager used to store the API Key
+    AllowedPattern: ^arn:aws:secretsmanager:.*$
+    Description: The secret ARN in Secrets Manager used to store the API Key
 Resources:
   VPCB9E5F0B4:
     Type: AWS::EC2::VPC
@@ -144,17 +144,7 @@ Resources:
               - secretsmanager:DescribeSecret
             Effect: Allow
             Resource:
-              Fn::Join:
-                - ""
-                - - "arn:"
-                  - Ref: AWS::Partition
-                  - ":secretsmanager:"
-                  - Ref: AWS::Region
-                  - ":"
-                  - Ref: AWS::AccountId
-                  - ":secret:"
-                  - Ref: ApiKeySecretName
-                  - -??????
+              Ref: ApiKeySecretArn
           - Action:
               - ecr:BatchCheckLayerAvailability
               - ecr:GetDownloadUrlForLayer
@@ -252,14 +242,7 @@ Resources:
               ValueFrom:
                 Fn::Join:
                   - ""
-                  - - "arn:"
-                    - Ref: AWS::Partition
-                    - ":secretsmanager:"
-                    - Ref: AWS::Region
-                    - ":"
-                    - Ref: AWS::AccountId
-                    - ":secret:"
-                    - Ref: ApiKeySecretName
+                  - - Ref: ApiKeySecretArn
                     - ":api_key::"
       Cpu: "1024"
       ExecutionRoleArn:
