在GitHub中使用AWS凭证的REST API存在问题。

huangapple go评论91阅读模式
英文:

Issue with aws credential for REST API in GitHub

问题

我有一个使用Go编写的REST API,它使用AWS SES发送电子邮件。当我使用Docker在本地部署API时,电子邮件会通过SES在本地环境中发送。现在我已经为API编写了集成测试,在本地系统中运行得很完美,而且所需的AWS凭证已经放置在默认位置".aws/credential"中。我已经将源代码放置在GitHub仓库中。我希望这个集成测试能够在每次提出PR时执行,为此我已经设置了GitHub Action。在GitHub上,除了使用AWS SES的API之外,所有的API都可以正常工作,因为它没有可用的AWS凭证。我已经尝试了几种在GitHub上提供AWS凭证而不暴露它们的方法,但迄今为止都没有成功。因此,需要一些关于如何解决这个问题的帮助。

英文:

I have have rest api written in Go which uses AWS SES to send email. When I deploy the api locally using docker the email is getting send through SES in localhost environment. Now I have written integration test for the api, which works perfectly in local system, also the aws credential that is required is placed at default location that is ".aws/credential". I have the placed source code in github repo. I want this integration test to get execute for every PR that is raised, for which I have set github action too. All api works in github except the one uses AWS SES, as it doesn't have the aws credential available. I have tried couple of ways to provide aws creds in github without exposing them, but nothing worked so far. Hence need some help on how to do this.

答案1

得分: 1

你的应用程序无法找到凭据,因为它存储在主机的 .aws/credential 路径中,而不是容器内部。

有几种解决此问题的方法,其中之一是将主机的 .aws/credential 挂载到 Docker 容器中。

如果你使用 docker run 命令,可以使用 -v 参数:

docker run -v ${HOME}/.aws/credentials:/root/.aws/credentials:ro  ...

如果你使用 docker-compose,可以在 volume 下指定路径映射:

version: '3'
services:
  app:
    image: your_image
    volumes:
      - ${HOME}/.aws/credentials:/root/.aws/credentials:ro

然而,上述解决方案并不是最佳选择,从安全角度来看存在风险。

我建议改为将凭据作为环境变量传递。

英文:

Your application can't locate the credentials because it is stored in your host's .aws/credential path, not within your container.

There are several solutions available to resolve this particular issue, one of them is by simply mounting the .aws/credential from your host to your docker container.

If you are using docker run command, use -v:

docker run -v ${HOME}/.aws/credentials:/root/.aws/credentials:ro  ...

or if you are using docker-compose, specify the path mapping under volume:

version: '3'
services:
  app:
    image: your_image
    volumes:
      - ${HOME}/.aws/credentials:/root/.aws/credentials:ro

However, the above solution is not the best one to use, it is risky from a security perspective.

I recommend passing the credentials as environment variables instead.

huangapple
  • 本文由 发表于 2023年4月4日 18:12:02
  • 转载请务必保留本文链接:https://go.coder-hub.com/75928138.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定