从 AWS Lambda 控制台隐藏环境变量
[英]Hide environment variables from AWS Lambda Console
问题描述
I have some lambda functions which uses some environment variables.
我有一些使用一些环境变量的 lambda 函数。 I understand that we can use AWS KMS to encrypt them and then from AWS console they will not be visible.我知道我们可以使用 AWS KMS 来加密它们,然后从 AWS 控制台看不到它们。
In my case using KMS is not possible so I was wondering if there is some other way, probably by restricting at IAM level so that a user should not see env variables.在我的情况下,使用 KMS 是不可能的,所以我想知道是否有其他方法,可能是通过在 IAM 级别进行限制,以便用户不应该看到 env 变量。
I have already tried removing GetFunction and GetFunctionConfiguration from policy.我已经尝试从策略中删除GetFunction和GetFunctionConfiguration 。 It works but the problem is, user is not able to see other things because now GetFunctionConfiguration is not allowed.它有效,但问题是,用户无法看到其他内容,因为现在不允许使用GetFunctionConfiguration 。
Is there any fine grain permission setting which can only hide env variables from the AWS Lambda console?是否有任何细粒度权限设置只能从 AWS Lambda 控制台隐藏环境变量?
Thanks in advance.提前致谢。
3 个解决方案
解决方案1
4 2020-02-03 19:42:44
At the Lambda level, I'm afraid there is no way to implement some sort of RBAC for environment variable visibility within the console.在 Lambda 级别,恐怕无法在控制台中实现某种 RBAC 以实现环境变量的可见性。
If you have access to SSM Parameter Store , this will help solve your problem.如果您有权访问SSM Parameter Store ,这将有助于解决您的问题。
By storing the environment variables inside SSM, you can implement IAM based access control on each parameter by the path you place them in. This will give you a centralized location to manage your parameters for your lambdas, and help minimize code changes.通过将环境变量存储在 SSM 中,您可以通过放置它们的路径对每个参数实施基于 IAM 的访问控制。这将为您提供一个集中位置来管理您的 lambda 参数,并有助于最大程度地减少代码更改。
How To Store Your AWS Lambda Secrets - Medium outlines a similar scenario and how to utilize SSM effectively with Lambda. How To Store Your AWS Lambda Secrets - Medium概述了一个类似的场景以及如何通过 Lambda 有效地利用 SSM。
解决方案2
2 2020-02-03 19:39:08
The short answer is no.最简洁的答案是不。 The solution to this is, as you pointed out, to use KMS to encrypt the variable and then decrypt it in your code.正如您所指出的,解决方案是使用 KMS 加密变量,然后在您的代码中对其进行解密。
解决方案3
1 2020-05-11 04:40:04
As an updated answer, there is now a way to achieve it:作为更新的答案,现在有一种方法可以实现它:
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-environment-variables-iam-access/ https://aws.amazon.com/premiumsupport/knowledge-center/lambda-environment-variables-iam-access/
The idea is to use KMS with a Customer Master Key and a policy which deny KMS actions这个想法是将 KMS 与客户主密钥和拒绝 KMS 操作的策略一起使用
{
"Id": "MyCustomKey",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny IAM users permission to see Lambda environment variables",
"Effect": "Deny",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:User1DeniedAccess",
"arn:aws:iam::1234567890:User2DeniedAccess"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
This should prevent your IAM users from seeing env variables.这应该可以防止您的 IAM 用户看到环境变量。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.