[英]How to (properly) use external credentials in an AWS Lambda function?
I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table. 我有一个(非常基本但完美的)AWS lambda函数,用Python编写,但是有嵌入的凭据连接到:1)外部Web服务2)DynamoDB表。
What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2). 该函数的作用非常基本:它针对服务POST(登录凭证#1),然后将部分响应状态保存到DynamoDB表中(使用AWS凭证#2)。
These are the relevant parts of the function: 这些是该功能的相关部分:
h = httplib2.Http()
auth = base64.encodestring('myuser' + ':' + 'mysecretpassword')
(response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {'Authorization':'Basic ' + auth,'Accept':'application/xml;version=5.7'})
and then 然后
conn = boto.connect_dynamodb(aws_access_key_id='FAKEhhahahah',aws_secret_access_key='FAKEdhdhdudjjdjdjhdjjhdjdjjd')
How would you go about cleaning the code by NOT having these credentials inside the function? 如何通过在函数内部不使用这些凭据来清理代码?
FYI this function is scheduled to run every 5 minutes (there is no other external event that triggers it). 仅供参考此功能计划每5分钟运行一次(没有其他外部事件触发它)。
In your example you have 2 types of credentials: 在您的示例中,您有两种类型的凭据:
With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go. 使用AWS信誉一切都很简单:创建IAM角色,赋予它对dynamodb的权限,你很高兴。
With non AWS creds the most secure approach would be: 对于非AWS信用,最安全的方法是:
kms.encrypt('foo')
) kms.encrypt('foo')
) The cleanest way is to grant DynamoDB
privileges to the LambdaExec
role. 最干净的方法是将
DynamoDB
权限授予LambdaExec
角色。 Your boto connect becomes: 你的boto连接成为:
conn = boto.connect_dynamodb()
Or check the IAM policies attached to the user whose creds you are providing to boto connect. 或者检查附加到您要提供给boto connect的用户的IAM策略。 Pick and choose the policies from that list and grant those privileges to
LambdaExec
role. 从该列表中选择并选择策略,并将这些权限授予
LambdaExec
角色。 Also take a look at: Easy Authorization of AWS Lambda Functions 另请参阅 : AWS Lambda函数的轻松授权
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.