如何使用 boto3 轮换我的 AWS IAM 用户访问权限和密钥?
[英]How do I rotate my AWS IAM user access and secret key using boto3?
问题描述
We are using the Python AWS SDK ( boto3 ) to connect to S3.
我们正在使用 Python AWS SDK ( boto3 ) 连接到 S3。
We have a static access and secret token, however my.network is not safe.我们有一个 static 访问和秘密令牌,但是 my.network 并不安全。
I can't use another.network for sending requests so is there a way to change the access and secret keys after every request?我不能使用 another.network 发送请求,所以有没有办法在每次请求后更改访问密钥和密钥?
I can save a new token in a safe database for sending another request but it's important that after using the token, it expires.我可以在安全数据库中保存一个新令牌以发送另一个请求,但重要的是在使用该令牌后,它会过期。
What I'm looking for:我在找什么:
send: curl https://aws.endpoint/refresh/token
response: {“new_access_token”:”blablabla”, “new_secret_token”:”blablablabla”}
1 个解决方案
解决方案1
1 已采纳 2021-10-11 08:01:29
If you must , you can rotate your keys using a combination of iam.create_access_key , iam.get_access_key_last_used , iam.update_access_key & iam.delete_access_key API actions.如果必须,您可以结合使用iam.create_access_key 、 iam.get_access_key_last_used 、 iam.update_access_key和iam.delete_access_key API 操作来轮换密钥。
Keep in mind you can only have a maximum of 2 access keys per user so you will have to create a new one using create_access_key , disable/make inactive the current (old) one ( get_access_key_last_used & update_access_key ), change your access key to the next one within the application code, and then finally delete the current one delete_access_key .请记住,每个用户最多只能有 2 个访问密钥,因此您必须使用create_access_key创建一个新访问密钥,禁用/禁用当前(旧)访问密钥( get_access_key_last_used & update_access_key ),将您的访问密钥更改为下一个应用程序代码中的一个,然后最后删除当前的一个delete_access_key 。
However, AWS access keys are meant to be long-term credentials for an IAM user or the AWS account root user;但是, AWS 访问密钥是 IAM 用户或 AWS 账户根用户的长期凭证; you can rotate them on a regular basis but I wouldn't be doing that in the first place in this scenario.您可以定期轮换它们,但在这种情况下我不会首先这样做。
Your optimal solution will depend on the service you are using.您的最佳解决方案将取决于您使用的服务。
If using EC2 instances to call S3, for example, don't use/embed/pass/read access keys but instead use shortlived temporary security credentials that would be provided by launching the EC2 instance with a role for S3 access.例如,如果使用 EC2 实例调用 S3,则不要使用/嵌入/传递/读取访问密钥,而是使用短期临时安全凭证,这些凭证将通过启动具有 S3 访问角色的 EC2 实例来提供。
If you're using this script locally, you can use AWS Security Token Service (AWS STS) that enables you to request temporary, limited-privilege credentials for AWS IAM users/federated users (single sign-on etc.).如果您在本地使用此脚本,则可以使用AWS Security Token Service (AWS STS) ,它使您能够为 AWS IAM 用户/联合用户(单点登录等)请求临时的、有限权限的凭证。 You'd be looking for the GetSessionToken API operation (Boto3 SDK docs here ).您会寻找GetSessionToken API 操作( 此处为 Boto3 SDK 文档)。
In both cases, the credentials include a security token that indicates when the credentials expire & they are short-lived on purpose to help reduce your risk in case credentials are accidentally exposed.在这两种情况下,凭据都包含一个安全令牌,指示凭据何时过期并且它们是有意短暂存在的,以帮助降低您的风险,以防凭据被意外暴露。
Read: Best practices for managing AWS access keys阅读: 管理 AWS 访问密钥的最佳实践
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.