如何向数千台非 EC2 计算机授予 AWS 编程访问权限并轮换密钥?

huangapple go评论74阅读模式
英文:

How to grant AWS programmatic access to thousands of non-EC2 computers, and rotate keys?

问题

我的Java服务将在我的计算机上运行(假设我将拥有超过1000台计算机),并将一些数据发送到S3。我使用AWS Java SDK来完成这个任务。

如果我理解正确,为了做到这一点,我需要在我的计算机上使用访问密钥和秘密密钥(假设它们将在.aws/credential文件中)。

我阅读了许多关于资源编程访问最佳实践的AWS文档,但仍然无法理解。

  1. 轮换访问密钥。在访问密钥轮换之后,我如何在所有运行在我的计算机上的应用程序中进行更改?我的应用程序是否需要自行更新?

  2. 临时凭证。在这种方法中,我仍然需要在我的计算机上拥有访问密钥和秘密密钥。如果是的,我将面临与问题1相同的问题。

有人能否向我建议在我这种情况下以编程方式安全地访问AWS资源的最佳方法是什么?我需要如何处理访问密钥和秘密密钥?

谢谢。

更新:

  1. 计算机位于不同的网络中
  2. Java应用程序将数据发送到S3,并从S3中读取数据
  3. 每次都可以添加新的计算机
英文:

My java service will run on my computers (let's say I'll have more than 1000 computers) and will send some data to S3. I use AWS Java SDK for it.

If I'm right, for doing it I need to use access key & secret key on my computers. (let's say it will be in .aws/credential file)

I read a lot of AWS documentation about the best practices for resources programmatic access, but still can't understand it.

  1. Rotating access keys. After an access key is rotated, how can I change it in all applications that run my computers? Should my application be self-updated?

  2. Temporary credentials. In this approach I still need to have access key & secret key on my computers. If yes, I have the same problem as in Q1.

Can somebody advise me what the best way and secure to programmatically access AWS resources in my situation? What do I need to do with access key & secret key?

Thank you.

UPDATES:

  1. Computers are in different networks
  2. Java app sends to S3 and also reads from S3
  3. New computers can be added every time

答案1

得分: 1

计算机需要AWS凭据与S3通信。

最简单的方法是在每台计算机上存储凭据。然而,正如您所说,这使得旋转密钥变得困难。

另一种选择是将凭据存储在一个数据库中,它们可以访问,这样它们总是可以获取到最新的凭据。然而,它们将需要某种登录来访问数据库。

或者,您可以设置身份联合,以便计算机可以对某些东西(如Active Directory)进行身份验证,然后您可以编写一个中央服务,该服务将为每台计算机提供临时凭据。

该过程基本上如下:

  • 计算机对AD进行身份验证
  • 它们调用您的服务并证明它们已经通过AD进行了身份验证
  • 然后,您的服务调用STS并生成有效期最长为36小时的临时凭据
  • 它将这些凭据提供给计算机

参见:GetFederationToken - AWS安全令牌服务

英文:

The computers will need AWS credentials to talk with S3.

The simplest way is to store the credentials on each computer. However, as you say, it makes it hard to rotate the keys.

Another option is to store the credentials in a database that they can access, so they always get the latest credentials. However, they will need some sort of login to access the database.

Alternatively, you could setup identity federation, so that that the computers can authenticate against something like Active Directory, and then you can write a central service that will provide temporary credentials to each computer.

The process is basically:

  • The computers authenticate to AD
  • They call your service and prove that they are authenticated to AD
  • Your service then calls STS and generates temporary credentials valid for up to 36 hours
  • It provides those credentials to the computers

See: GetFederationToken - AWS Security Token Service

答案2

得分: 0

据我所知,您需要确保计算机上的应用程序具有最新的访问密钥。我的建议是将访问密钥存储在一个集中的位置,应用程序将从该位置检索它。因此,一旦您轮换密钥并更新集中存储,所有应用程序实例都会反映出这一变化。

英文:

AFAIK you need to ensure that your application on computer has up-to-date access key. My recommendation is to store the access key on centralized place from which application will retrieve it. Thus, once you rotate the key and update the centralized storage, it will be reflected in all your application instances.

答案3

得分: 0

AWS Java SDK使用凭证链。凭证链的含义是SDK将按照以下顺序在6个不同的位置查找凭证:

  1. Java系统属性–aws.accessKeyId和aws.secretAccessKey。AWS Java SDK使用SystemPropertyCredentialsProvider来加载这些凭证。
  2. 环境变量–AWS_ACCESS_KEY_ID和AWS_SECRET_ACCESS_KEY。AWS Java SDK使用EnvironmentVariableCredentialsProvider类来加载这些凭证。
  3. 默认凭证配置文件–该文件的具体位置因平台而异,但通常位于~/.aws/credentials。这个文件被许多AWS SDK和AWS CLI共享。AWS Java SDK使用ProfileCredentialsProvider来加载这些凭证。
  4. 您可以通过使用AWS CLI提供的aws configure命令创建凭证文件。您也可以通过文本编辑器创建它。有关凭证文件格式的信息,请参阅AWS凭证文件格式。
  5. Amazon ECS容器凭证–如果设置了环境变量AWS_CONTAINER_CREDENTIALS_RELATIVE_URI,则从Amazon ECS加载这些凭证。AWS Java SDK使用ContainerCredentialsProvider来加载这些凭证。
  6. 实例配置文件凭证–这在Amazon EC2实例上使用,并通过Amazon EC2元数据服务传递。AWS Java SDK使用InstanceProfileCredentialsProvider来加载这些凭证。

https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html

英文:

The AWS Java SDKs use a credential chain. The credential chain just means the SDK will look for credentials in 6 different places in this order:

  1. Java system properties–aws.accessKeyId and aws.secretAccessKey. The AWS SDK for Java uses the SystemPropertyCredentialsProvider to load these credentials.
  2. Environment variables–AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The AWS SDK for Java uses the EnvironmentVariableCredentialsProvider class to load these credentials.
  3. The default credential profiles file– The specific location of this file can vary per platform, but is typically located at ~/.aws/credentials. This file is shared by many of the AWS SDKs and by the AWS CLI. The AWS SDK for Java uses the ProfileCredentialsProvider to load these credentials.
  4. You can create a credentials file by using the aws configure command provided by the AWS CLI. You can also create it by editing the file with a text editor. For information about the credentials file format, see AWS Credentials File Format.
  5. Amazon ECS container credentials– This is loaded from Amazon ECS if the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. The AWS SDK for Java uses the ContainerCredentialsProvider to load these credentials.
  6. Instance profile credentials– This is used on Amazon EC2 instances, and delivered through the Amazon EC2 metadata service. The AWS SDK for Java uses the InstanceProfileCredentialsProvider
    to load these credentials.

https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html

huangapple
  • 本文由 发表于 2020年9月30日 19:40:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/64136821.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定