stackoom
  简体   繁体   中英

Should I use Secrets Manager for storing customers' API keys?

 原文  2021-03-03 17:51:49       amazon-web-services/ secret-key/ aws-secrets-manager

Question

I'm implementing a service that requires me to call my customers' API using their API keys. My customers will provide me with their API keys in their accounts.

When I'm calling my customers' API, I have to retrieve their API key before making the call. Since these are my customers' API keys and I want them to be kept safely, I'm considering keeping all of them in AWS Secrets Manager. I have roughly about 5,000 users (still growing) and I plan to store all their keys into a single secret in Secrets Manager. My application makes about a few millions calls to my customers API a month and it needs to retrieve the keys at high frequency and concurrency.

However, I'm not sure if this is the kind of use case for Secrets Manager because their docs sound to me like it was meant for just keeping secret information for the application and not for customers like a database. At the same time, storing encrypted keys in the database and having to decrypt them with a KMS key sounds like I may end up with roughly the same cost.

Is Secrets Manager meant for such a use case to store customers' sensitive information such as API keys? If not, what should I consider in my case?

1 answers

solution1
 1 ACCPTED  2021-03-03 18:02:12

50k api keys in a single secret is goinfg to be very unwieldy. Assuming a 40 byte token, you're looking at 2mb of data - SSM has a max data length for a value of 4096 bytes unless I'm mistaken.

To me it would make more sense to generate a key with KMS and use that key to encrypt customer API keys before writing them to a DynamoDB table (or even RDS if you so desire) When you need to use a customer API key, fetch it from dynamoDB, decrypt it with the KMS key, and then make use of it.

If you want automatic key rotation, SSM could be used to encrypt the key you use to encrypt the client API tokens. Your token decryption key would remain usable while the wrapping SSM entry would be reencrypted with a key rotation set by policy.

Finally, as Software Engineer suggested above, there is Vault.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS: Storing API token in Secrets Manager vs Dynamo DB AWS Multi Environment Secrets Manager arn keys Round robin between Admin API keys stored in Secrets Manager which is used to make API calls via API Gateway Lambda proxy integration Requesting 2 secrets from AWS Secrets Manager in One API Call with JavaScript Trouble connecting sam local api to secrets manager InvalidSignatureException in using GetSecretValue AWS secrets manager API Best Practices to use AWS Secrets Manager on password rotation in Rest API using NodeJs Express Web Framework Configuring Concourse CI to use AWS Secrets Manager How do I list deleted secrets in AWS Secrets Manager? Create secrets in AWS Secrets Manager
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM