限制对包中的 API Gateway(和 AWS Lambda)的访问
[英]Limiting Access to API Gateway (and AWS Lambda) in a package
问题描述
We have a package that we share with out customers.
我们有一个与客户共享的包。 In the package, we have a chunk of code that does HTTP Request callouts to our central API Gateway.在包中,我们有一段代码,用于对我们的中央 API 网关执行 HTTP 请求调用。 As of now, our API Gateway is open and accepts requests from everywhere, which is not good.截止目前,我们的API网关是开放的,接受来自各地的请求,这并不好。 I want to limit access to our users who would be using our software.我想限制对使用我们软件的用户的访问。 The only solution I have found is using IAM and providing authorization that would require us to include our Access Keys in the package.我发现的唯一解决方案是使用 IAM 并提供授权,这将要求我们在包中包含我们的访问密钥。 Our users can install our package in any environment they want and we have no control over that environment.我们的用户可以在他们想要的任何环境中安装我们的软件包,我们无法控制该环境。 So I think a viable option is to create a generic user policy with minimal access to allow our users to call our API Gateway.所以我认为一个可行的选择是创建一个具有最少访问权限的通用用户策略,以允许我们的用户调用我们的 API 网关。 However, putting access key in the code doesn't seem like a good idea.但是,将访问密钥放在代码中似乎不是一个好主意。 Another option is to provider our customers with access keys but that also has overhead.另一种选择是为我们的客户提供访问密钥,但这也有开销。 What is a better alternative that is more secure and easy to maintain?什么是更安全、更易于维护的更好的替代方案?
1 个解决方案
解决方案1
1 已采纳 2018-02-07 10:14:32
You can use built-in API Gateway API Key functionality when IAM policies aren't possible.当 IAM 策略不可用时,您可以使用内置 API Gateway API Key 功能。
So long as your clients could be on any infrastructure, versus limited to AWS, the API Gateway service provides a generic API key solution, which allows you to restrict client traffic to your API Gateway by enforcing that client requests include API keys.只要您的客户端可以在任何基础设施上,而不是仅限于 AWS,API Gateway 服务就提供了一个通用的 API 密钥解决方案,它允许您通过强制客户端请求包含 API 密钥来限制客户端流量到您的 API 网关。 This API key interface is part of their " API Usage Plan " feature.这个 API 密钥接口是他们“ API 使用计划”功能的一部分。
This document explains how to use the console to set up an API Gateway to enforce that client traffic bears an API key: 本文档介绍了如何使用控制台设置 API 网关以强制客户端流量带有 API 密钥:
To set up API keys, do the following:
Configure API methods to require an API key.
Create or import an API key for the API in a region.
Your clients can implement a "secret storage" solution, in order to avoid putting their API keys into their source code.您的客户可以实施“秘密存储”解决方案,以避免将他们的 API 密钥放入他们的源代码中。
For sure it isn't wise for your clients to store their API Keys plain-text inside their source code.对于您的客户来说,将他们的 API 密钥以纯文本形式存储在他们的源代码中肯定是不明智的。 Instead, they could use a secret storage solution, to store the API keys outside of their codebase, but still give their applications access to the secret.相反,他们可以使用秘密存储解决方案,将 API 密钥存储在他们的代码库之外,但仍然允许他们的应用程序访问秘密。
This article describes an example solution for secure secret storage (eg secure API key storage) which grants an application access to the application secret without putting the unencrypted secret into the source code.本文描述了一个用于安全机密存储(例如安全 API 密钥存储)的示例解决方案,该解决方案授予应用程序访问应用程序机密的权限,而无需将未加密的机密放入源代码中。 It uses Amazon KMS + Cryptex, but the same principle can be applied with other technologies: http://technologyadvice.github.io/lock-up-your-customer-accounts-give-away-the-key/它使用 Amazon KMS + Cryptex,但同样的原理可以应用于其他技术: http ://technologyadvice.github.io/lock-up-your-customer-accounts-give-away-the-key/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.