如何使用变量中的凭证运行AWS SDK版本2?

huangapple go评论91阅读模式
英文:

How to run AWS SDK version 2 with credentials from variables?

问题

我的问题与这个问题相同:https://stackoverflow.com/questions/41544554/how-to-run-aws-sdk-with-credentials-from-variables,但我正在使用不再使用Session的SDK版本2(如果我理解正确的话)。

因此,我正在创建一个新的客户端,并且我有作为变量的凭据。我需要使用IAM服务。以下是函数:

func getIAMClient(ctx context.Context) (*iam.Client, error) {
    cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion("no-region"))
    if err != nil {
        return nil, errors.Wrap(err)
    }

    cfg.HTTPClient, err = getHTTPClient(ctx)
    if err != nil {
        return nil, err
    }

    return iam.NewFromConfig(cfg), nil
}

不同的用户将同时使用该应用程序,因此我不能只使用ENV文件,但我还没有找到一个解释如何将这些凭据传递给我的客户端的文档页面。任何支持将不胜感激!

英文:

My question is the same as this other question: https://stackoverflow.com/questions/41544554/how-to-run-aws-sdk-with-credentials-from-variables but I am using SDK version 2 which no longer uses Session (if I understand correctly).

So, I am creating a new client, and I have the credentials as variables. I need to use the IAM service. Here is the function:

func getIAMClient(ctx context.Context) (*iam.Client, error) {
	cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion("no-region"))
	if err != nil {
		return nil, errors.Wrap(err)
	}

	cfg.HTTPClient, err = getHTTPClient(ctx)
	if err != nil {
		return nil, err
	}

	return iam.NewFromConfig(cfg), nil
}

Different users will use the app at the same time, so I can't just use ENV files, but I haven't been able to find a documentation page explaining how to pass these credentials to my Client. Any support will be appreciated!

答案1

得分: 7

这可以通过使用StaticCredentialsProvider来实现,具体方法在AWS SDK for Go V2文档的"Static Credentials"部分中有描述:

cfg, err := config.LoadDefaultConfig(ctx, config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider("AKID", "SECRET_KEY", "TOKEN")))
英文:

This can be achieved with the StaticCredentialsProvider as described in section "Static Credentials" of the AWS SDK for Go V2 documentation:

cfg, err := config.LoadDefaultConfig(ctx, config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider("AKID", "SECRET_KEY", "TOKEN")))

答案2

得分: 3

要从运行时变量初始化配置,可以使用credentials.NewStaticCredentialsProvider

staticProvider := credentials.NewStaticCredentialsProvider(
    accessKey, 
    secretKey, 
    sessionToken,
)
cfg, err := config.LoadDefaultConfig(
    context.Background(), 
    config.WithCredentialsProvider(staticProvider),
)
if err != nil {
    return nil, err
}
client := iam.New(cfg)

然而,AWS SDK文档正确地提醒你:

> 不要将凭据嵌入应用程序中。仅在测试目的中使用此方法。

这是因为通常使用静态凭据的代码片段会传递硬编码的字符串,这显然是一个安全问题。在你的情况下,你正在尝试传递运行时变量,只要这些变量没有与应用程序源代码一起提交,你应该是安全的。

<hr>

对于一般的用例,即环境变量,你可以使用external.LoadDefaultAWSConfig,它会自动按照以下顺序查找:

  • 环境变量
  • 共享配置和共享凭据文件
// import "github.com/aws/aws-sdk-go-v2/aws/external"

cfg, err := external.LoadDefaultAWSConfig(external.WithRegion(region))
if err != nil {
    return nil, err
}

client := iam.New(cfg)

在底层,该方法调用external.NewEnvConfig,它尝试从环境变量中获取凭据:

  • AWS_SECRET_ACCESS_KEYAWS_SECRET_KEY
  • AWS_ACCESS_KEY_IDAWS_ACCESS_KEY

有关环境变量读取优先级的更多详细信息,请参阅EnvConfig文档。

英文:

To init configs from runtime variables, it's fine to use credentials.NewStaticCredentialsProvider:

staticProvider := credentials.NewStaticCredentialsProvider(
    accessKey, 
    secretKey, 
    sessionToken,
)
cfg, err := config.LoadDefaultConfig(
    context.Background(), 
    config.WithCredentialsProvider(staticProvider),
)
if err != nil {
    return nil, err
}
client := iam.New(cfg)

However the AWS SDK documentation correctly reminds you that:

> Do not embed credentials inside an application. Use this method only for testing purposes.

This is because typically code snippets that use static credentials pass hardcoded strings, which obviously is a security issue. In your case, you are attempting to pass runtime variables, so as long as those are not checked in with your application sources, you should be fine.

<hr>

For the general use case, i.e. environment variables, you can use external.LoadDefaultAWSConfig, which automatically looks for, in this order:

  • Environment Variables
  • Shared Configuration and Shared Credentials files.
// import &quot;github.com/aws/aws-sdk-go-v2/aws/external&quot;

	cfg, err := external.LoadDefaultAWSConfig(external.WithRegion(region))
	if err != nil {
		return nil, err
	}

	client := iam.New(cfg)

The method under the hood calls external.NewEnvConfig which tries to fetch credentials from the environment variables:

  • AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY
  • AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY

More details about the read priority of the env vars is given in EnvConfig documentation.

huangapple
  • 本文由 发表于 2021年8月11日 14:27:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/68736991.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定