AWS Lambda:如何将密钥存储到外部API? [英] AWS Lambda: How to store secret to external API?
问题描述
我正在基于AWS Lambda构建监视工具.给定一组指标,Lambda应当能够使用 Twilio API发送SMS.为了能够使用该API,Twilio提供了一个帐户SID和一个身份验证令牌.
I'm building a monitoring tool based on AWS Lambda. Given a set of metrics, the Lambdas should be able to send SMS using Twilio API. To be able to use the API, Twilio provide an account SID and an auth token.
我应该如何以及在哪里存储这些机密?
How and where should I store these secrets?
我目前正在考虑使用 AWS KMS ,但是可能还有其他更好的解决方案.
I'm currently thinking to use AWS KMS but there might be other better solutions.
推荐答案
这是我想出的.我正在使用AWS KMS将我的机密加密到一个文件中,该文件与代码一起上传到AWS Lambda.然后在需要使用它们时将其解密.
Here is what I've come up with. I'm using AWS KMS to encrypt my secrets into a file that I upload with the code to AWS Lambda. I then decrypt it when I need to use them.
这是要遵循的步骤.
首先创建一个KMS密钥.您可以在此处找到文档: http://docs.aws.amazon .com/kms/latest/developerguide/create-keys.html
First create a KMS key. You can find documentation here: http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
然后加密您的机密并将结果保存到文件中.可以使用以下命令从CLI实现:
Then encrypt your secret and put the result into a file. This can be achieved from the CLI with:
aws kms encrypt --key-id some_key_id --plaintext "This is the scret you want to encrypt" --query CiphertextBlob --output text | base64 -D > ./encrypted-secret
然后,您需要将此文件作为Lambda的一部分进行上传.您可以按照以下步骤解密和使用Lambda中的机密.
You then need to upload this file as part of the Lambda. You can decrypt and use the secret in the Lambda as follow.
var fs = require('fs');
var AWS = require('aws-sdk');
var kms = new AWS.KMS({region:'eu-west-1'});
var secretPath = './encrypted-secret';
var encryptedSecret = fs.readFileSync(secretPath);
var params = {
CiphertextBlob: encryptedSecret
};
kms.decrypt(params, function(err, data) {
if (err) console.log(err, err.stack);
else {
var decryptedSecret = data['Plaintext'].toString();
console.log(decryptedSecret);
}
});
希望您会发现它有用.
这篇关于AWS Lambda:如何将密钥存储到外部API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
