stackoom
  简体   繁体   中英

Signed cookies in aws cloudfront without Key Pair (RSA private key)

 原文  2017-07-31 13:50:12       node.js/ amazon-web-services/ amazon-s3/ amazon-cloudfront/ amazon-ecs

Question

I am deploying my app, split in microservices developed in Node.js, in disposable machines(AWS-ECS) using Docker. Having a look the API to get signed tokens to access cloudfront resources: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CloudFront/Signer.html ,seems to be mandatory pass Key Pair as parameter in the constructor(initilization).

I would like not to include any CloudFront Key Pair since these machines can die and storing any file inside, makes no sense. Is there any way to get signed tokens just granting privileges to these machines with IAM policies, like CloudFrontFullAccess? I have deployed a service to get S3 signed urls, and it is not required using Key Pair, just IAM policy.

1 answers

solution1
 1 ACCPTED  2017-07-31 17:52:46

No, this isn't possible as described.

It works for S3 because the instance role causes temporary IAM credentials to be made available to the instance, and S3 signed URLs use IAM credentials.

CloudFront's private key isn't part of IAM, so IAM policies (like CloudFrontFullAccess ) don't help, here. (That policy primarily allows you to provision CloudFront distributions.)

You have to have access to the CloudFront RSA key in order to generate either a CloudFront signed URL or signed cookies -- there is no alternative to this.

However, a straightforward way to store the key securely yet make it available to the instances would be to put it in the EC2 Systems Manager Parameter Store .

This is a key/value store that can be made accessible to the instances through their IAM roles, and you are not required to use any other parts of EC2 Systems Manager unless you want to -- the parameter store is available without any other setup.

Amazon EC2 Systems Manager Parameter Store provides secure storage for configuration data such as passwords, database strings, and license codes. You can store parameters as plain text or as encrypted objects.

[...]

Parameter Store also simplifies the process of managing configuration data by storing the data in one, secure location instead of in configuration files across your fleet.

http://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-paramstore.html

The maximum size of a single parameter value is 4096 characters , which is more than sufficient to hold the entire private key.

Your code would most likely want to load the key on startup and just keep in memory for use as needed, or it could be written to a temporary file.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to be sure that public key belongs to private key (RSA) without modulus check? How to use CloudFront signed cookies in the browser? Decrypt Base64 string with RSA private key Saved RSA private key in session, but it has been spoiled RSA private key detected; please remove and revoke it if this is a leak node-rsa errors when trying to decrypt message with private key How to use RSA_PRIVATE_KEY in nodejs for JWT? Asymmetric public / private key encryption RSA with nodeJS and Objective-C node-forge how to read a private rsa key from file how to detect a RSA private key has passphrase in node
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM