为 AWS Lambda 函数安全地提供 AWS RDS 凭证的最佳方式是什么?
[英]What is the best way to securely provide AWS RDS credentials to AWS Lambda functions?
问题描述
I am creating a CI/CD pipeline using AWS codepipeline to deploy several lambda functions.
我正在使用 AWS codepipeline 创建一个 CI/CD 管道来部署几个 lambda 函数。 Currently I am manually uploading.zip files for the lambdas functions which include a configuration.json file that has credentials to access the RDS database.目前,我正在手动上传 .zip 用于 lambda 函数的文件,其中包括一个 configuration.json 文件,该文件具有访问 RDS 数据库的凭据。
I have already created a SAM template to deploy the lambda functions via codepipeline, however, I am unable to think of a solution to provide RDS database credentials to the lambda functions since commiting the configuration.json file in the code repository is not an option.我已经创建了一个 SAM 模板来通过代码管道部署 lambda 函数,但是,由于提交配置,我无法想出一种解决方案来为 lambda 函数提供 RDS 数据库凭据。
AWS secrets manager is NOT an option for me as it would be very costly due to millions of API calls hitting the lambda functions. AWS 机密管理器对我来说不是一个选择,因为它会非常昂贵,因为数百万个 API 调用会影响 lambda 函数。
1 个解决方案
解决方案1
2 2020-06-25 23:20:37
You could use one of the suggestion given by AWS on some of the blueprints.您可以在某些蓝图上使用 AWS 给出的建议之一。 This example I take from slack echo notification, and use it in some of my lambda function.这个例子我取自松弛回声通知,并在我的一些 lambda function 中使用它。 To encrypt your secrets use the following steps:要加密您的秘密,请使用以下步骤:
Create or use an existing KMS Key - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
创建或使用现有的 KMS 密钥 - http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.htmlClick the "Enable Encryption Helpers" checkbox
单击“启用加密助手”复选框Paste <COMMAND_TOKEN> into the kmsEncryptedToken environment variable and click encrypt
将 <COMMAND_TOKEN> 粘贴到 kmsEncryptedToken 环境变量中,然后单击加密
Follow these steps to complete the configuration of your command API endpoint按照以下步骤完成命令 API 端点的配置
When completing the blueprint configuration select "Open" for security on the "Configure triggers" page.
完成蓝图配置 select 在“配置触发器”页面上“打开”以确保安全。Enter a name for your execution role in the "Role name" field.
在“角色名称”字段中输入您的执行角色的名称。 Your function's execution role needs kms:Decrypt permissions.您的函数的执行角色需要 kms:Decrypt 权限。 We have pre-selected the "KMS decryption permissions" policy template that will automatically add these permissions.我们预先选择了“KMS 解密权限”策略模板,会自动添加这些权限。
Let me show a simple lambda function write in python:让我展示一个简单的 lambda function 写入 python:
Check out this example registration screenshot查看此示例注册屏幕截图
import boto3
import json
import logging
import os
from base64 import b64decode
from urlparse import parse_qs
ENCRYPTED_EXPECTED_TOKEN = os.environ['kmsEncryptedToken']
kms = boto3.client('kms')
expected_token = kms.decrypt(CiphertextBlob=b64decode(ENCRYPTED_EXPECTED_TOKEN))['Plaintext']
logger = logging.getLogger()
logger.setLevel(logging.INFO)
Hope this helps希望这可以帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.