如何在无服务器中保护AWS访问密钥
[英]How to secure the AWS access key in serverless
问题描述
I am writing a serverless application which is connected to DynamoDB. 
我正在编写连接到DynamoDB的无服务器应用程序。
Currently I am reading the access key ID and security access key from a json file. 目前,我正在从json文件读取访问密钥ID和安全访问密钥。
I am going to use Jenkins for CI and need a way to secure these keys. 我将使用Jenkins for CI,并且需要一种保护这些密钥的方法。
What I am going to do is setting the keys as environmental variables and read them in the application. 我要做的是将键设置为环境变量,并在应用程序中读取它们。 But the problem is I don't know how to set the environmental variables every time a lambda function is started. 但是问题是我不知道每次启动lambda函数时如何设置环境变量。
I have read there's a way to configure this in serverless.yml file, but don't know how. 我读过有一种方法可以在serverless.yml文件中配置它,但是不知道如何。
How to achieve this? 如何实现呢?
2 个解决方案
解决方案1
3 2018-08-30 12:47:08
Don't use environment variables. 不要使用环境变量。 Use the IAM role that is attached to your lambda function. 使用附加到lambda函数的IAM角色。 AWS Lambda assumes the role on your behalf and sets the credentials as environment variables when your function runs. 当您的函数运行时,AWS Lambda代表您担任角色,并将凭据设置为环境变量。 You don't even need to read these variables yourself. 您甚至不需要自己阅读这些变量。 All of the AWS SDKs will read these environment variables automatically. 所有AWS开发工具包都将自动读取这些环境变量。
解决方案2
1 2018-09-14 17:39:52
There's a good guide on serverless security, which among other topics, cover this one as well. 关于无服务器安全性有一本很好的指南 ,除其他主题外,它也涵盖了这一方面。 It's similar to the OWASP top 10: 它类似于OWASP的前10名:
In general, the best practice would be to use the AWS Secrets Manager, together with SSM parameter store. 通常,最佳实践是将AWS Secrets Manager与SSM参数存储一起使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.