我该如何保护我的AWS访问ID和密钥在我的Python应用程序 [英] How can I protect my AWS access id and secret key in my python application
问题描述
我做了一个Python应用程序,并在某些模块中使用亚马逊网络服务。
I'm making an application in Python and using Amazon Web Services in some modules.
我现在硬编码我的AWS访问ID和秘密密钥* .py文件。或者可以将它们移出到配置文件中的未来。
I'm now hard coding my AWS access id and secret key in *.py file. Or might move them out to an configuration file in future.
但有一个问题,我怎么能保护AWS信息的形式与其他人呢?当我知道蟒蛇是那么容易反编译的语言。
But there's a problem, how can I protect AWS information form other people? As I know python is a language that easy to de-compile.
有没有办法做到这一点?
Is there a way to do this?
好吧我正在做的一个应用程序,以帮助用户上传/下载的东西从云中。我使用亚马逊S3云存储。据我所知的Dropbox也在使用S3所以我不知道他们是如何保护的关键。
Well what I'm making is an app to help user upload/download stuff from cloud. I'm using Amazon S3 as cloud storage. As I know Dropbox also using S3 so I'm wondering how they protects the key.
经过一天的研究,我发现了什么。 我现在使用博托(一AWS库蟒蛇)。我可以用'generate_url(X)'的函数来获得一个网址的应用程序,以在S3访问对象。 URL将被终止在X秒。 所以,我可以建立一个Web服务,为我的应用程序,为他们提供的网址。在AWS键将不会被设置成应用程序,但到Web服务。
After a day's research I found something. I'm now using boto (an AWS library for python). I can use a function of 'generate_url(X)' to get a url for the app to accessing the object in S3. The url will be expired in X seconds. So I can build a web service for my apps to provide them the urls. The AWS keys will not be set into the app but into the web service.
这听起来不错,但到目前为止,我只可以下载这个函数对象,上传不起作用。任何身体知道如何使用它上传?
It sounds great, but so far I only can download objects with this function, upload doesn't work. Any body knows how to use it for uploading?
有谁知道这里如何使用博托的key.generate_url()来获得一个临时的网址上传东西S3?
Does anyone here know how to use key.generate_url() of boto to get a temporary url for uploading stuff to S3?
推荐答案
有没有办法来保护你的钥匙,如果你要发布你的code。他们将能够访问任何人谁有权访问你的服务器或源$ C $ C。
There's no way to protect your keys if you're going to distribute your code. They're going to be accessible to anyone who has access to your server or source code.
有两件事情可以做,以保护自己免受恶意使用钥匙的。
There are two things you can do to protect yourself against malicious use of your keys.
-
使用亚马逊的IAM服务创建一组密钥,只有具有执行,你需要为你的脚本任务的权限。 http://aws.amazon.com/iam/
如果你有一个移动应用程序或其他应用程序,将需要用户帐户,您可以创建创建临时令牌为每个用户提供服务。用户必须拥有有效的令牌,你的钥匙执行任何操作。如果你想使用你的钥匙,你可以停止生成为他们新的令牌停止用户。 <一href="http://awsdocs.s3.amazonaws.com/STS/latest/sts-api.pdf">http://awsdocs.s3.amazonaws.com/STS/latest/sts-api.pdf
If you have a mobile app or some other app that will require user accounts you can create a service to create temporary tokens for each user. The user must have a valid token and your keys to perform any actions. If you want to stop a user from using your keys you can stop generating new tokens for them. http://awsdocs.s3.amazonaws.com/STS/latest/sts-api.pdf
具体到S3,如果你正在创建一个应用程序,让人们上传内容。保护您的帐户和其他用户的信息的唯一方式是让他们注册一个帐号你。
Specifically to S3 if you're creating an application to allow people to upload content. The only way to protect your account and the information of the other users is to make them register an account with you.
- 应用程序的第一步将是与您的服务器进行身份验证。
- 一旦你的服务器验证你犯了一个请求,亚马逊令牌服务器,并返回一个标记
- 您的应用程序,然后使得使用内置的EXE和令牌密钥的请求。
- 基于权限应用于该用户他只能上传到被分配给他的桶中。
如果这似乎是pretty的困难,那么你很可能没有准备好设计应用程序,这将帮助用户数据上传到S3。你将有显著的安全问题,如果你只把1号键,即使你可以隐藏用户的关键,他们将能够编辑任何用户添加任何数据。
If this seems pretty difficult then you're probably not ready to design an application that will help users upload data to S3. You're going to have significant security problems if you only distribute 1 key even if you can hide that key from the user they would be able to edit any data added by any user.
解决这个问题的唯一办法是让每个用户创建自己的AWS帐号,您的应用程序将帮助他们将文件上传到自己的S3帐户。如果是这种情况,那么你就不需要担心保护密钥,因为用户将负责安装应用程序后,将自己的钥匙。
The only way around this is to have each user create their own AWS account and your application will help them upload files to their S3 account. If this is the case then you don't need to worry about protecting the keys because the user will be responsible for adding their own keys after installing your application.
这篇关于我该如何保护我的AWS访问ID和密钥在我的Python应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
