堆栈内存溢出
  简体   繁体   English

AWS BOTO3:处理API密钥

[英]AWS BOTO3 : Handling API keys

 原文  2018-01-27 16:23:23       python/ amazon-web-services/ security/ boto3

问题描述

TL;DR : Is passing auth data to a boto3 script in a csv file named as an argument (and not checked in) less secure than a plaintext shared credentials file (the default answer in docs) for any reason? TL; DR :由于某种原因,是否将身份验证数据传递到名为自变量(且未签入)的csv文件中的boto3脚本,其安全性比纯文本共享凭据文件(文档中的默认答案)安全吗?

I want to write a boto3 script intended to run from my laptop that uses an IAM key. 我想编写一个旨在从使用IAM密钥的笔记本电脑运行的boto3脚本。 The main accepted way to initialize your session is to include the API key, the secret, the region, and (if applicable) your session key in a shared credentials file identified by AWS_SHARED_CREDENTIALS_FILE , or to have the key and secret be environment variables themselves ( AWS_ACCESS_KEY_ID , etc.) What I would like to do is load these values in a dictionary auth from a csv or similar file, and then use the keys and values of this dictionary to initialize my boto3.Session . 初始化会话的主要公认方法是将API密钥,密钥,区域和会话密钥(如果适用)包含在AWS_SHARED_CREDENTIALS_FILE标识的共享凭证文件中,或者使密钥和密钥本身就是环境变量( AWS_ACCESS_KEY_ID等)。我要做的是从csv或类似文件的字典auth加载这些值,然后使用此字典的键和值初始化我的boto3.Session This is easy to do; 这很容易做到; but, because a utility to load auth data from csv is so obvious and because so few modules provide this utility, I assume there is some security problem with it that I don't know. 但是,由于从csv加载auth数据的实用工具非常明显,并且由于很少有模块提供此实用程序,因此我认为它存在一些我不知道的安全性问题。

Is there a reason the shared credentials file is safer than a csv file with the auth data passed as an argument to the boto3 script? 有没有理由将身份验证数据作为参数传递给boto3脚本的共享凭据文件比csv文件更安全? I understand that running this from an EC2 instance with a role assignment is best, but I'm looking for a way to test libraries locally before adding them to one run through role security. 我知道最好从具有角色分配的EC2实例中运行它,但是我正在寻找一种在本地进行库测试的方法,然后再将它们添加到通过角色安全性运行的库中。

1 个解决方案

解决方案1
 2  2018-01-27 17:52:16

There is nothing special or secure with a csv file. CSV文件没有什么特别的或安全的。 Its security risks are same as credentials file since both are text files. 它的安全风险与凭证文件相同,因为它们都是文本文件。 If you are worried about security and prefer a file option, one alternative I can think of: 如果您担心安全性而喜欢使用文件选项,那么我可以考虑以下一种选择:

  1. Encrypt the credentials and store them as binary data in a file 加密凭据并将其作为二进制数据存储在文件中
  2. In your Boto3 script, read the file, decrypt the data and supply the credentials to Boto3 在您的Boto3脚本中,读取文件,解密数据并将凭据提供给Boto3
  3. You can use simple symmetric keys to encrypt the creds 您可以使用简单的对称密钥来加密凭据

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SSM 的 Boto3 AWS API 错误响应 - Boto3 AWS API error responses for SSM 无效的 API 指定的密钥标识符 aws api 网关 boto3 - Invalid API Key identifier specified aws api gateway boto3 boto3 aws api - 列出可用的实例类型 - boto3 aws api - Listing available instance types 创建 boto3 session 是否会触发对 AWS API 的 http 请求? - Does creating a boto3 session trigger an http request to the AWS API? 使用boto3更新AWS Lambda API密钥使用计划 - Update AWS Lambda API Key Usage Plans with boto3 AWS boto3 定价 API - get_products 的可用过滤器 - Available filter for AWS boto3 Pricing API - get_products Python boto3 异常处理 - Python boto3 exception handling 两个不同帐户/连接之间来自boto3或boto api的存储桶/密钥的并行副本 - parallell copy of buckets/keys from boto3 or boto api between 2 different accounts/connections AWS boto3 列出代码管道 - AWS boto3 list codepipelines AWS Boto3源代码 - AWS boto3 source code
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM