保持与亚马逊网络服务的秘密密钥的秘密 [英] Keeping a secret key secret with Amazon Web Services
问题描述
我在我的个人项目中使用亚马逊网络服务玩耍。我抓起自己的AWS SDK的.NET和我使用的,但我有点糊涂了。
I'm playing around with using amazon web services in my personal project. I've grabbed their AWS SDK for .NET and I'm using that, but I'm a little confused.
-
访问Web服务(在这种情况下,SimpleDB的,虽然我不认为这是真的材料的问题)通过公/私密钥对被授权。
Access to the web service (in this case, SimpleDB, though I don't think that's really material to the question) is authorized via a private/public key pair.
在AWS SDK用于创建一个客户端对象.NET API需要私钥:
The AWS SDK for .NET API used to create a client object requires the private key:
AWSClientFactory.CreateAmazonSimpleDBClient(publicKey, privateKey);
这是一个客户端应用程序,因此code会在客户端上运行的全部。
This is a client application, so the code would be running entirely on the client.
提示该客户端将需要访问我的私人密钥来访问SimpleDB的。但亚马逊反复强调指出,我的私钥不能离开我的控制。
Suggesting that the client would need to have access to my private key to have access to the SimpleDB. But amazon repeatedly and emphatically states that my private key must not leave my control.
这是没有道理给我,所以我想我一定是失去了一些东西。
This doesn't make sense to me, so I figure I must be missing something.
是一个客户端应用程序错误的模型,用于一般的亚马逊网络服务,使用其AWS SDK的.NET,还是我失去了一些东西,使客户端应用程序完全合理的?有没有可以解决此不创造我自己的代理服务,将验证客户端和他们的请求转发到SimpleDB的?
Is a client-side application the wrong model for the amazon web services in general, for using their AWS SDK for .NET, or am I missing something that makes a client application perfectly reasonable? Is there a good way to work around this without creating a proxy service of my own that would authenticate clients and forward their requests to the SimpleDB?
推荐答案
您并不需要实现一个代理,战线远程(AWS)服务。只是实现一个简单的,小的,经认证的服务返回给客户端的 URL和头接触AWS时使用。的你的身份验证的web服务保持AWS秘密,并且仅提供了签名的请求URL和报头添加到客户端,然后去,使得使用该返回信息的实际工作呼叫。
You don't need to implement a proxy that fronts the remote (AWS) service. Just implement a simple, small, authenticated service which returns to the client the URL and headers to use when contacting AWS. Your authenticated webservice keeps the AWS secret, and only provides the signed request URL and headers to the client, which then goes and makes the actual work call using that returned information.
这样,您就不必经过自己的服务器的AWS通话过程中避免了开销,节省了等待时间,带宽,服务器,故障处理的复杂性等对捆绑插座你只需要一个轻量级的撞了上去前面在客户端,以获得正确的指导。
This way, you avoid the overhead during the AWS call of having to go through your own servers, saving latency, bandwidth, tied up sockets on your server, failure handling complexity, etc. You just take a lightweight hit up front for the client to get the proper instructions.
这篇关于保持与亚马逊网络服务的秘密密钥的秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
