如何(正确)在AWS Lambda函数中使用外部凭证? [英] How to (properly) use external credentials in an AWS Lambda function?
问题描述
我有一个用Python编写的(极其基本但完美的工作)AWS lambda函数,但是该函数具有嵌入的凭证以连接至: 1)外部Web服务 2)一个DynamoDB表.
I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table.
该功能的作用是非常基本的:它针对服务(具有凭证#1)发布登录,然后将部分响应状态保存到DynamoDB表(具有AWS凭证#2)中.
What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2).
这些是函数的相关部分:
These are the relevant parts of the function:
h = httplib2.Http()
auth = base64.encodestring('myuser' + ':' + 'mysecretpassword')
(response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {'Authorization':'Basic ' + auth,'Accept':'application/xml;version=5.7'})
然后
conn = boto.connect_dynamodb(aws_access_key_id='FAKEhhahahah',aws_secret_access_key='FAKEdhdhdudjjdjdjhdjjhdjdjjd')
如果函数中没有这些凭据,您将如何清理代码?
How would you go about cleaning the code by NOT having these credentials inside the function?
仅供参考,此功能计划每5分钟运行一次(没有其他外部事件触发该功能).
FYI this function is scheduled to run every 5 minutes (there is no other external event that triggers it).
推荐答案
在您的示例中,您有两种凭证:
In your example you have 2 types of credentials:
- AWS信誉
- 没有AWS信誉
借助AWS,一切都变得简单:创建IAM角色,将其授予dynamodb许可,然后您就可以开始了.
With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go.
使用非AWS凭证时,最安全的方法是:
With non AWS creds the most secure approach would be:
- 使用kms服务预先加密凭据. (
kms.encrypt('foo')
) - 一旦您加密了信息的版本.随时将其存储在您想要的任何位置.最简单的方法是在lambda中对其进行硬编码.
- 向lambda IAM角色添加权限,以使用在步骤1中使用的kms密钥解密信息.
- 然后,每次调用lambda时,让其调用kms来解密信息.
- Encrypt credentials upfront using kms service. (
kms.encrypt('foo')
) - Once you have encrypted version of your information. Feel free to store it anywhere you want. Simplest way would be hard code it in lambda.
- Add permission to lambda IAM Role to decrypt information using kms key that you used in step 1.
- Then each time lambda is invoked, let it call kms to decrypt information.
这篇关于如何(正确)在AWS Lambda函数中使用外部凭证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!