阅读背景:

AWS Lambda:如何将秘密存储到外部API?

来源:互联网 

I'm building a monitoring tool based on AWS Lambda. Given a set of metrics, the Lambdas should be able to send SMS using Twilio API. To be able to use the API, Twilio provide an account SID and an auth token.

我正在构建一个基于AWS Lambda的监控工具。给定一组指标,Lambdas应该能够使用Twilio API发送SMS。为了能够使用API, Twilio提供了一个帐户SID和一个auth令牌。

How and where should I store these secrets?

我应该如何以及在哪里储存这些秘密?

I'm currently thinking to use AWS KMS but there might be other better solutions.

我目前正在考虑使用AWS KMS,但可能还有其他更好的解决方案。

5 个解决方案

#1


66  

Here is what I've come up with. I'm using AWS KMS to encrypt my secrets into a file that I upload with the code to AWS Lambda. I then decrypt it when I need to use them.

这是我想到的。我正在使用AWS KMS将我的秘密加密到一个文件中,我将代码上传至AWS Lambda。当我需要使用它们的时候,我就对它进行解密。

Here are the steps to follow.

以下是要遵循的步骤。

First create a KMS key. You can find documentation here: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html

首先创建一个KMS密钥。您可以在这里找到文档:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html

Then encrypt your secret and put the result into a file. This can be achieved from the CLI with:

然后加密你的秘密并将结果放入一个文件中。这可以通过以下命令实现:

aws kms encrypt --key-id some_key_id --plaintext "This is the scret you want to encrypt" --query CiphertextBlob --output text | base64 -D > ./encrypted-secret

You then need to upload this file as part of the Lambda. You can decrypt and use the secret in the Lambda as follow.

然后需要将该文件作为Lambda的一部分上载。您可以解密并使用Lambda中的秘密,如下所示。

var fs = require('fs');
var AWS = require('aws-sdk');
var kms = new AWS.KMS({region:'eu-west-1'});

var secretPath = './encrypted-secret';
var encryptedSecret = fs.readFileSync(secretPath);

var params = {
  CiphertextBlob: encryptedSecret
};

kms.decrypt(params, function(err, data) {
  if (err) console.log(err, err.stack);
  else {
    var decryptedSecret = data['Plaintext'].toString();
    console.log(decryptedSecret);
  }
});

I hope you'll find this useful.

我希望你会觉得这个有用。

#2


7  

As of AWS Lambda support for NodeJS 4.3, the correct answer is to use Environment Variables. This feature integrates with AWS KMS, so you can use your own master keys to encrypt the secrets.

对于AWS Lambda对NodeJS 4.3的支持,正确的答案是使用环境变量。这个特性集成了AWS KMS,因此您可以使用自己的主密钥来加密这些秘密。

#3


3  

There is a blueprint for a Nodejs Lambda function that starts off with decrypting an api key from kms. It provides an easy way to decrypt using a promise interface. It also gives you the role permissions that you need to give the lambda function in order to access kms. The blue print can be found by searching for "algorithmia-blueprint"

有一个Nodejs Lambda函数的蓝图,该函数从对kms的api密钥进行解密开始。它提供了一种使用承诺接口进行解密的简单方法。它还为您提供了访问kms所需的角色权限,以便提供lambda函数。通过搜索“算法蓝图”可以找到蓝图

#4


2  

Well...that's what KMS was made for :) And certainly more secure than storing your tokens in plaintext in the Lambda function or delegating to a third-party service.

嗯…这就是KMS的用途),当然比在Lambda函数中以明文存储令牌或委托给第三方服务更安全。

If you go down this route, check out this blog post for an existing usage example to get up and running faster. In particular, you will need to add the following to your Lambda execution role policy:

如果您沿着这条路线走下去,请查看这篇博客文章,以获得一个现有的使用示例,以提高运行速度。特别是,您需要在Lambda执行角色策略中添加以下内容:

"kms:Decrypt",
"kms:DescribeKey",
"kms:GetKeyPolicy",

The rest of the code for the above example is a bit convoluted; you should really only need describeKey() in this case.

上面示例的其余代码有点复杂;在这种情况下,您只需要描述()即可。

#5


-3  

Whatever you choose to do, you should use a tool like GitMonkey to monitor your code repositories and make sure your keys aren't committed or pushed to them.

无论您选择做什么,您都应该使用类似GitMonkey的工具来监视您的代码库,并确保您的密钥没有提交或推送给它们。


分享到: