堆栈内存溢出
  简体   繁体   English

如何(正确)在AWS Lambda函数中使用外部凭据?

[英]How to (properly) use external credentials in an AWS Lambda function?

 原文  2016-03-25 17:43:55       python/ amazon-web-services/ aws-lambda/ boto/ amazon-iam

问题描述

I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table. 我有一个(非常基本但完美的)AWS lambda函数,用Python编写,但是有嵌入的凭据连接到:1)外部Web服务2)DynamoDB表。

What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2). 该函数的作用非常基本:它针对服务POST(登录凭证#1),然后将部分响应状态保存到DynamoDB表中(使用AWS凭证#2)。

These are the relevant parts of the function: 这些是该功能的相关部分: 

h = httplib2.Http()
auth = base64.encodestring('myuser' + ':' + 'mysecretpassword')
(response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {'Authorization':'Basic ' + auth,'Accept':'application/xml;version=5.7'})

and then 然后 

conn = boto.connect_dynamodb(aws_access_key_id='FAKEhhahahah',aws_secret_access_key='FAKEdhdhdudjjdjdjhdjjhdjdjjd')

How would you go about cleaning the code by NOT having these credentials inside the function? 如何通过在函数内部不使用这些凭据来清理代码?

FYI this function is scheduled to run every 5 minutes (there is no other external event that triggers it). 仅供参考此功能计划每5分钟运行一次(没有其他外部事件触发它)。

2 个解决方案

解决方案1
 8 已采纳  2016-03-25 19:25:54

In your example you have 2 types of credentials: 在您的示例中,您有两种类型的凭据:

  1. AWS creds AWS信誉
  2. None AWS creds 没有AWS信誉

With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go. 使用AWS信誉一切都很简单:创建IAM角色,赋予它对dynamodb的权限,你很高兴。

With non AWS creds the most secure approach would be: 对于非AWS信用,最安全的方法是:

  1. Encrypt credentials upfront using kms service. 使用kms服务预先加密凭据。 ( kms.encrypt('foo') ) kms.encrypt('foo')
  2. Once you have encrypted version of your information. 一旦你有了加密版的信息。 Feel free to store it anywhere you want. 随意存放在任何你想要的地方。 Simplest way would be hard code it in lambda. 最简单的方法是在lambda中进行硬编码。
  3. Add permission to lambda IAM Role to decrypt information using kms key that you used in step 1. 添加lambda IAM Role的权限,以使用您在步骤1中使用的kms密钥解密信息。
  4. Then each time lambda is invoked, let it call kms to decrypt information. 然后每次调用lambda时,让它调用kms来解密信息。

解决方案2
 4  2016-03-25 17:51:30

The cleanest way is to grant DynamoDB privileges to the LambdaExec role. 最干净的方法是将DynamoDB权限授予LambdaExec角色。 Your boto connect becomes: 你的boto连接成为: 

conn = boto.connect_dynamodb()

Or check the IAM policies attached to the user whose creds you are providing to boto connect. 或者检查附加到您要提供给boto connect的用户的IAM策略。 Pick and choose the policies from that list and grant those privileges to LambdaExec role. 从该列表中选择并选择策略,并将这些权限授予LambdaExec角色。 Also take a look at: Easy Authorization of AWS Lambda Functions 另请参阅AWS Lambda函数的轻松授权

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS Lambda Function (Python) - 如何使用外部库? - AWS Lambda Function (Python) - How to use external libraries? 如何在 AWS Lambda function 中使用 gnupg - How to use gnupg in an AWS Lambda function 如何在 AWS CDK 创建的 Python Lambda Function 中安装外部模块? - How to install external modules in a Python Lambda Function created by AWS CDK? 如何在AWS Lambda函数中调用外部API或URL(python代码)? - How to call an external API or URL ( python code) in AWS lambda function? 我应该如何将我的s3凭据传递给AWS上的Python lambda函数? - How should I pass my s3 credentials to Python lambda function on AWS? 如何为 AWS lambda 正确准备部署包 - How to prepare an Deployment Package properly for AWS lambda 如何让AWS Lambda上的NaCL正常运行? - How to Have NaCL at AWS Lambda Properly Working? 如何将模块从自定义包正确导入 AWS Lambda 函数? - How do I properly import modules from custom packages into an AWS Lambda function? 如何在 PySpark 中使用两个 AWS 凭证 - How to use two AWS credentials in PySpark 是否可以在 aws lambda function 中使用并行处理? - Is it possible to use parallel processing in aws lambda function?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM