在哪里保存 Secrets Management 工具的初始信任凭证?
[英]Where to keep the Initial Trust credentials of a Secrets Management tool?
问题描述
For our product we have decided to implement a Secret Management tool (AWS secrets manager) that will securely store and manage all our secrets such as DB credentials, passwords and API keys etc.
对于我们的产品,我们决定实施一个秘密管理工具(AWS 秘密管理器),它将安全地存储和管理我们的所有秘密,例如数据库凭证、密码和 API 密钥等。
In this way the secrets are not stored in code, database or anywhere in the application.通过这种方式,秘密不会存储在代码、数据库或应用程序的任何地方。 We have to provide the AWS credentials - Access Key Id and Secret access key to programmatically access the APIs of Secrets manager.我们必须提供 AWS 凭证 - 访问密钥 ID 和秘密访问密钥,以便以编程方式访问 Secrets manager 的 API。
Now the biggest question that arises is, where to keep this Initial Trust – the credentials to authenticate the AWS secrets manager.?现在出现的最大问题是,在哪里保存这个初始信任——验证 AWS 秘密管理器的凭证。? This is a bootstrapping problem.这是一个引导问题。 Again, we have to maintain something outside of the secret store, in a configuration file or somewhere.同样,我们必须在秘密存储区之外、在配置文件中或某处维护一些东西。 I feel If this is compromised then there is no real meaning to store everything in a Secret management tool.我觉得如果这被破坏了,那么将所有内容存储在 Secret 管理工具中就没有真正的意义。
I read the AWS SDK developer guide and understand that there are some standard ways to store AWS credentials like – storing them in environmental variables, credentials file with different profiles and by Using IAM roles for Amazon EC2 Instances.我阅读了 AWS SDK 开发人员指南并了解有一些标准的方法来存储 AWS 凭证,例如 – 将它们存储在环境变量中、具有不同配置文件的凭证文件以及对 Amazon EC2 实例使用 IAM 角色。
We don't run/host our application in Amazon cloud, we just want to use AWS secrets manger service from AWS cloud.我们不在亚马逊云中运行/托管我们的应用程序,我们只想使用 AWS 云中的 AWS 机密管理器服务。 Hence, configuring the IAM roles might not be the solution for us.因此,配置 IAM 角色可能不是我们的解决方案。
Are there any best practices (or) a best place to keep the initial Trust credentials?是否有任何最佳实践(或)保存初始信任凭证的最佳位置?
2 个解决方案
解决方案1
3 2019-09-05 11:22:13
If you're accessing secrets from EC2 instance, ECS docker container, Lambda function, you can use Roles with policy that allows access to Secrets Manager.如果您正在从 EC2 实例、ECS docker 容器、Lambda 函数访问机密,则可以使用具有允许访问 Secrets Manager 的策略的角色。
if IAM Role is not an option, You can use Federation Login to get temporary credentials (IAM Role) with policy that allows access to Secrets Manager.如果 IAM 角色不是一个选项,您可以使用联合登录来获取具有允许访问 Secrets Manager 的策略的临时凭证(IAM 角色)。
解决方案2
1 2019-09-06 18:01:10
As @Tomasz Breś said, you can use federation if you are already using an on-premis Auth system like Active directory or Kerberos .正如@Tomasz Breś 所说,如果您已经在使用本地身份验证系统(如Active directory 或 Kerberos ) ,则可以使用联合。
If you do not have any type of credentials already on the box, you are left with two choices: store your creds in a file and use file system permissions to protect them, or use hardware like an HSM or TPM to encrypt or store your creds.如果您的盒子上没有任何类型的凭据,您有两种选择:将您的凭据存储在文件中并使用文件系统权限来保护它们,或者使用 HSM 或 TPM 等硬件来加密或存储您的凭据.
In any case, when you store creds on the box (even AD/Kerberos), you should ensure only the application owner has access to that box (in the case of a stand alone app and not a shared CLI).在任何情况下,当您在盒子上存储凭证(甚至 AD/Kerberos)时,您应该确保只有应用程序所有者可以访问该盒子(在独立应用程序而不是共享 CLI 的情况下)。 You should also harden the box by turning off all un-necessary software and access methods.您还应该通过关闭所有不必要的软件和访问方法来强化盒子。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.