我应该使用 Secrets Manager 来存储客户的 API 密钥吗?
[英]Should I use Secrets Manager for storing customers' API keys?
问题描述
I'm implementing a service that requires me to call my customers' API using their API keys.
我正在实施一项服务,该服务要求我使用客户的 API 密钥调用客户的 API。 My customers will provide me with their API keys in their accounts.我的客户将在他们的帐户中向我提供他们的 API 密钥。
When I'm calling my customers' API, I have to retrieve their API key before making the call.当我打电话给客户的 API 时,我必须在拨打电话之前检索他们的 API 密钥。 Since these are my customers' API keys and I want them to be kept safely, I'm considering keeping all of them in AWS Secrets Manager.由于这些是我客户的 API 密钥并且我希望它们能够安全保存,因此我正在考虑将它们全部保存在 AWS Secrets Manager 中。 I have roughly about 5,000 users (still growing) and I plan to store all their keys into a single secret in Secrets Manager.我有大约 5,000 个用户(仍在增长),我计划将他们的所有密钥存储到 Secrets Manager 中的单个密钥中。 My application makes about a few millions calls to my customers API a month and it needs to retrieve the keys at high frequency and concurrency.我的应用程序每月向我的客户 API 进行大约数百万次调用,它需要以高频率和并发方式检索密钥。
However, I'm not sure if this is the kind of use case for Secrets Manager because their docs sound to me like it was meant for just keeping secret information for the application and not for customers like a database.但是,我不确定这是否是 Secrets Manager 的用例,因为他们的文档对我来说听起来像是只为应用程序保留秘密信息,而不是为数据库等客户保留。 At the same time, storing encrypted keys in the database and having to decrypt them with a KMS key sounds like I may end up with roughly the same cost.同时,将加密密钥存储在数据库中并不得不使用 KMS 密钥对其进行解密,听起来我最终可能会付出大致相同的成本。
Is Secrets Manager meant for such a use case to store customers' sensitive information such as API keys? Secrets Manager 是否适用于这样的用例来存储客户的敏感信息,例如 API 密钥? If not, what should I consider in my case?如果没有,在我的情况下我应该考虑什么?
1 个解决方案
解决方案1
1 已采纳 2021-03-03 18:02:12
50k api keys in a single secret is goinfg to be very unwieldy.单个密钥中的 50k api 密钥将变得非常笨拙。 Assuming a 40 byte token, you're looking at 2mb of data - SSM has a max data length for a value of 4096 bytes unless I'm mistaken.假设一个 40 字节的令牌,您正在查看 2mb 的数据 - SSM 的最大数据长度为 4096 字节,除非我弄错了。
To me it would make more sense to generate a key with KMS and use that key to encrypt customer API keys before writing them to a DynamoDB table (or even RDS if you so desire) When you need to use a customer API key, fetch it from dynamoDB, decrypt it with the KMS key, and then make use of it.对我来说,使用 KMS 生成密钥并使用该密钥加密客户 API 密钥,然后再将它们写入 DynamoDB 表(如果您愿意,甚至可以是 RDS)当您需要使用客户 API 密钥时,获取它会更有意义从 dynamoDB 中,使用 KMS 密钥对其进行解密,然后使用它。
If you want automatic key rotation, SSM could be used to encrypt the key you use to encrypt the client API tokens.如果您想要自动密钥轮换,SSM 可用于加密您用于加密客户端 API 令牌的密钥。 Your token decryption key would remain usable while the wrapping SSM entry would be reencrypted with a key rotation set by policy.您的令牌解密密钥将保持可用,而包装 SSM 条目将使用策略设置的密钥轮换重新加密。
Finally, as Software Engineer suggested above, there is Vault.最后,正如上面软件工程师所建议的,还有 Vault。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.