How to securely sign requests with aws credentials?

Question

I am not entirely sure if this is the question I should be asking so feel free to submit edits.

I am developing a desktop app I plan to distribute and use amazon Polly to read text the user enters. I am having trouble understanding how to securely allow users to access the service under our program without exposing the access key.

I saw in a previous example that I should create a request to use the resource, have the access and secret access key in a server and it sign the request. Then send it back to the user on the desktop application.

If this is correct could someone explain and give me a simple example of how to accomplish this in python? Thank you. :)

Here is what I have so far that I would like to be on the code clients download:

from boto3 import  client
import boto3
import StringIO
from contextlib import closing

polly = boto3.client(
    'polly',
    region_name='us-east-1',
    aws_access_key_id='I_want_to_protect_this',
    aws_secret_access_key='I_also_want_to_protect_this'
)

response = polly.synthesize_speech(
    Text="Good Morning. My Name is Rajesh. I am Testing Polly AWS Service For Voice Application.",
    OutputFormat="mp3",
    VoiceId="Raveena")

print(response)

if "AudioStream" in response:
    with closing(response["AudioStream"]) as stream:
        data = stream.read()
        fo = open("pollytest.mp3", "w+")
        fo.write( data )
        fo.close()

Answer 1

The correct approach for providing people with access to AWS services and resources stored on AWS is to take a client/server approach.

The client in your case is a Desktop application, but it could equally be a mobile app or a web app. The client is basically untrusted and should not be given any credentials for accessing AWS.

The server is an application running somewhere (typically on Amazon EC2 or AWS Lambda) that receives requests from the client, applies business logic (eg verifying the user's identity and determining what actions they are permitted to take) and calls AWS services.

Then there are two approaches to making calls to AWS:

• The server can make all the calls to AWS (using credentials that are available only to the server) and pass back results to the client. This isolates the client from AWS and allows you to insert custom business logic within the server. (eg When you use Netflix, your TV doesn't call AWS directly.) Or...
• The server can verify the identity of the client (eg the user logs into the client app, which sends the login details to server) by consulting a database of authorized application users, generate temporary AWS credentials , pass them back to the client and then the client can call AWS directly. (eg Many mobile apps do this to talk with Amazon S3.)

The temporary AWS credentials can be generated by the server by calling the AWS Security Token Service and specifying the permissions and duration sought. STS will then return a set of time-limited credentials that have the desired permissions. The client application can use these credentials to call AWS services (eg Amazon Polly as per your code sample).

This way, no credentials are stored in the client code and the server controls whether the client is permitted to access AWS, which API calls can be used and how long the access should be granted.