如何(正确)在AWS Lambda函数中使用外部凭证? [英] How to (properly) use external credentials in an AWS Lambda function?

问题描述

我有一个用Python编写的(极其基本但完美的工作)AWS lambda函数，但是该函数具有嵌入的凭证以连接至: 1)外部Web服务 2)一个DynamoDB表.

I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table.

该功能的作用是非常基本的:它针对服务(具有凭证#1)发布登录，然后将部分响应状态保存到DynamoDB表(具有AWS凭证#2)中.

What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2).

这些是函数的相关部分:

These are the relevant parts of the function:

h = httplib2.Http()
auth = base64.encodestring('myuser' + ':' + 'mysecretpassword')
(response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {'Authorization':'Basic ' + auth,'Accept':'application/xml;version=5.7'})

然后

conn = boto.connect_dynamodb(aws_access_key_id='FAKEhhahahah',aws_secret_access_key='FAKEdhdhdudjjdjdjhdjjhdjdjjd')

如果函数中没有这些凭据，您将如何清理代码?

How would you go about cleaning the code by NOT having these credentials inside the function?

仅供参考，此功能计划每5分钟运行一次(没有其他外部事件触发该功能).

FYI this function is scheduled to run every 5 minutes (there is no other external event that triggers it).

推荐答案

在您的示例中，您有两种凭证:

In your example you have 2 types of credentials:

1. AWS信誉
2. 没有AWS信誉

借助AWS，一切都变得简单:创建IAM角色，将其授予dynamodb许可，然后您就可以开始了.

With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go.

使用非AWS凭证时，最安全的方法是:

With non AWS creds the most secure approach would be:

1. 使用kms服务预先加密凭据. (kms.encrypt('foo'))
2. 一旦您加密了信息的版本.随时将其存储在您想要的任何位置.最简单的方法是在lambda中对其进行硬编码.
3. 向lambda IAM角色添加权限，以使用在步骤1中使用的kms密钥解密信息.
4. 然后，每次调用lambda时，让其调用kms来解密信息.

1. Encrypt credentials upfront using kms service. (kms.encrypt('foo'))
2. Once you have encrypted version of your information. Feel free to store it anywhere you want. Simplest way would be hard code it in lambda.
3. Add permission to lambda IAM Role to decrypt information using kms key that you used in step 1.
4. Then each time lambda is invoked, let it call kms to decrypt information.

这篇关于如何(正确)在AWS Lambda函数中使用外部凭证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！