英文:
How can I store passkeys/tokens in a safe place in AWS to use in other services encrypted?
问题
我有几个正在使用的 Lambda 函数,并且它们在执行过程中使用了一些私有令牌。
我想避免将它们以明文形式保存在 Lambda 函数中,而是希望以某种加密的全局变量或者其他 AWS 提供的方式来保存它们。
我相信 AWS 有很多方法可以实现这一点,但作为一个初学者+AWS 用户,我很想听听您的反馈,什么方法在使用、维护和需要时访问时是安全的。
谢谢!
目前,我的 Lambda 只是以明文形式存储密码。我希望它能够像全局变量一样存储,但我不确定从何处开始。
英文:
I have several lambda's I am working with, and they use some private tokens as part of the execution.
I want to avoid keeping them in the lambda function in plain text, and would rather keep them somehow in an encrypted global variable or some other way AWS is offering for such things?
I'm sure there's plenty of ways to do so in AWS, but as a beginner+ aws user I would love to hear your feedback what would be safe to use, maintain and access when needed.
Thanks!
Currently my lambda is just storing the pass key in plain text.
I need it to be stored like a global variable and I am not sure where to start.
答案1
得分: 1
你应该使用AWS SSM参数存储SecureString,或者使用AWS Secrets Manager来存储这些值。当使用Secrets Manager或者使用SSM参数存储SecureString时,该值将使用AWS KMS进行加密。
如果你想进一步控制这个过程,你可以在AWS KMS中创建一个客户主密钥,并告诉SSM或Secrets Manager使用该密钥进行加密。你的Lambda函数将需要相关的IAM权限来访问安全参数/密钥,以及解密KMS密钥的权限。
英文:
You should use AWS SSM Parameter Store SecureString, or AWS Secrets Manager to store these values. When using Secrets Manager, or when using SSM Parameter Store SecureString, the value will be encrypted using AWS KMS.
If you want further control over this, you can create a Customer Master Key in AWS KMS, and tell SSM or Secrets Manager to use that key for encryption. Your Lambda function will need the relevant IAM permissions to access the secure parameter/secret, as well as decrypt permissions for the KMS key.
答案2
得分: 0
感谢大家的指导!
最终我做了以下操作:
- 在“AWS Secrets Manager”中创建了一个令牌。
- 在我的Lambda IAM角色中添加了一个策略,允许使用ARN来获取特定SECRET的"secretsmanager:GetSecretValue"权限。
- 在我的Lambda函数中添加了以下代码来提取令牌。
def get_SM_key():
secret_name = "SecretNameISavedInSM"
region_name = "name-of-region"
# 创建一个Secrets Manager会话
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name='name-of-region'
)
try:
get_secret_value_response = client.get_secret_value(SecretId=secret_name)
except ClientError as e: # 异常列表 -> https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
raise e
# 使用关联的KMS密钥解密密钥。
secret = get_secret_value_response['SecretString']
return secret
现在它可以正常工作了 
英文:
Thanks for the guidance guys!
Eventually this is what I did:
- Create a token inside the 'AWS Secrets Manager'
- Added to my lambda IAM Role a policy to allow "secretsmanager:GetSecretValue" for the specific SECERT using its arn
- Added the following code in my lambda to extract the token.
def get_SM_key():
secret_name = "SecretNameISavedInSM"
region_name = "name-of-region"
# Create a Secrets Manager session
session = boto3.session.Session()
client = session.client(
service_name = 'secretsmanager',
region_name = 'name-of-region'
)
try:
get_secret_value_response = client.get_secret_value(SecretId=secret_name)
except ClientError as e: # list of exceptions -> https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
raise e
# Decrypts secret using the associated KMS key.
secret = get_secret_value_response['SecretString']
return secret
And it now works
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论