硬编码“ aws cognito”的“身份池ID”在安全性方面很危险？ [英] hard-coding "identity-pool id' for 'aws cognito' is dangerous in security?

问题描述

我正在使用AWS Cognito服务通过Unity3D进行身份验证。
我想知道是否将身份池ID硬编码为脚本是否存在安全问题。
为了安全起见，开发人员应如何实施？
有人建议吗？

I am using aws cognito service for authentication with Unity3D. I wonder whether there is security problem if 'identity-pool id' is hardcoded to script. For the security, how do deveopers implement? Is there anybody to suggest?

推荐答案

如果计划发布源代码，则公开身份和身份验证信息是可行的。一个坏主意。

If you plan on releasing the source code, exposing identities and authentication information is a bad idea.

您可以做的是使代码从单独的文件中获取身份池ID，并提交具有连接字符串（在这种情况下为您的身份）的文件池ID-但使用模板ID提交它。不是真正的一个。提交后，您可以使用.gitignore忽略该文件，然后将其更改为真实ID。

What you could do is make your code to fetch the Identity Pool ID from a separate file and commit that file that has the connection string, or in this case, your Identity Pool ID - but commit it with a template ID. Not the real one. After you've committed it you can use .gitignore to ignore that file and then change it to the real ID.

这样，没人会看到您的ID，这很容易对其他人来说，管理和简化分叉/克隆您的项目应该理解他们需要做什么。

This way no one will see your ID, it's easy to manage and easy for others that are Forking/cloning your project understand what they need to do.

如果您（例如）一起工作并例如，每个人都在使用个人许可证或类似许可证。

This is also a good practice if you, for instance, work together and everyone is for instance using a personal license or similar.

这篇关于硬编码“ aws cognito”的“身份池ID”在安全性方面很危险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！