AWS Lambda:如何将秘密存储到外部API?
[英]AWS Lambda: How to store secret to external API?
问题描述
I'm building a monitoring tool based on AWS Lambda. 
我正在构建一个基于AWS Lambda的监控工具。 Given a set of metrics, the Lambdas should be able to send SMS using Twilio API. 给定一组指标,Lambdas应该能够使用Twilio API发送SMS。 To be able to use the API, Twilio provide an account SID and an auth token. 为了能够使用API,Twilio提供帐户SID和身份验证令牌。
How and where should I store these secrets? 我应该如何以及在哪里存储这些秘密?
I'm currently thinking to use AWS KMS but there might be other better solutions. 我目前正在考虑使用AWS KMS,但可能还有其他更好的解决方案。
5 个解决方案
解决方案1
68 已采纳 2015-04-13 07:58:57
Here is what I've come up with. 这就是我想出来的。 I'm using AWS KMS to encrypt my secrets into a file that I upload with the code to AWS Lambda. 我正在使用AWS KMS将我的秘密加密到我使用代码上传到AWS Lambda的文件中。 I then decrypt it when I need to use them. 然后,当我需要使用它时,我解密它。
Here are the steps to follow. 以下是要遵循的步骤。
First create a KMS key. 首先创建一个KMS密钥。 You can find documentation here: http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html 您可以在此处找到文档: http : //docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
Then encrypt your secret and put the result into a file. 然后加密你的秘密并将结果放入文件中。 This can be achieved from the CLI with: 这可以通过CLI实现:
aws kms encrypt --key-id some_key_id --plaintext "This is the scret you want to encrypt" --query CiphertextBlob --output text | base64 -D > ./encrypted-secret
You then need to upload this file as part of the Lambda. 然后,您需要将此文件作为Lambda的一部分上载。 You can decrypt and use the secret in the Lambda as follow. 您可以解密并使用Lambda中的秘密,如下所示。
var fs = require('fs');
var AWS = require('aws-sdk');
var kms = new AWS.KMS({region:'eu-west-1'});
var secretPath = './encrypted-secret';
var encryptedSecret = fs.readFileSync(secretPath);
var params = {
CiphertextBlob: encryptedSecret
};
kms.decrypt(params, function(err, data) {
if (err) console.log(err, err.stack);
else {
var decryptedSecret = data['Plaintext'].toString();
console.log(decryptedSecret);
}
});
I hope you'll find this useful. 我希望你会发现这很有用。
解决方案2
10 2016-12-01 19:03:32
As of AWS Lambda support for NodeJS 4.3, the correct answer is to use Environment Variables to store sensitive information . 从AWS Lambda支持NodeJS 4.3开始,正确的答案是使用环境变量来存储敏感信息 。 This feature integrates with AWS KMS, so you can use your own master keys to encrypt the secrets if the default is not enough. 此功能与AWS KMS集成,因此如果默认值不够,您可以使用自己的主密钥加密机密。
解决方案3
3 2016-08-26 18:41:18
There is a blueprint for a Nodejs Lambda function that starts off with decrypting an api key from kms. Nodejs Lambda函数有一个蓝图,它从解密来自kms的api密钥开始。 It provides an easy way to decrypt using a promise interface. 它提供了一种使用promise接口进行解密的简便方法。 It also gives you the role permissions that you need to give the lambda function in order to access kms. 它还为您提供了为了访问kms而提供lambda函数所需的角色权限。 The blue print can be found by searching for "algorithmia-blueprint" 通过搜索“algorithmia-blueprint”可以找到蓝图
解决方案4
2 2015-03-31 17:28:26
Well...that's what KMS was made for :) And certainly more secure than storing your tokens in plaintext in the Lambda function or delegating to a third-party service. 嗯......这就是KMS的用途:)当然比在Lambda函数中以明文形式存储令牌或委托给第三方服务更安全。
If you go down this route, check out this blog post for an existing usage example to get up and running faster. 如果您沿着这条路走下去,请查看此博客文章,了解现有的使用示例,以便更快地启动和运行。 In particular, you will need to add the following to your Lambda execution role policy: 特别是,您需要将以下内容添加到Lambda执行角色策略中:
"kms:Decrypt",
"kms:DescribeKey",
"kms:GetKeyPolicy",
The rest of the code for the above example is a bit convoluted; 上面例子的其余代码有点复杂; you should really only need describeKey() in this case. 在这种情况下,你真的只需要describeKey() 。
解决方案5
-5 2017-07-25 06:33:13
无论您选择做什么,都应该使用像GitMonkey这样的工具来监控您的代码存储库,并确保您的密钥没有提交或推送给它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.