How can I protect my AWS access id and secret key in my python application

Question

I\'m making an application in Python and using Amazon Web Services in some modules.

I\'m now hard coding my AWS access id and secret key in *.py file. Or might move them

Answer 1

There's no way to protect your keys if you're going to distribute your code. They're going to be accessible to anyone who has access to your server or source code.

There are two things you can do to protect yourself against malicious use of your keys.

1. Use the amazon IAM service to create a set of keys that only has permission to perform the tasks that you require for your script. http://aws.amazon.com/iam/

2. If you have a mobile app or some other app that will require user accounts you can create a service to create temporary tokens for each user. The user must have a valid token and your keys to perform any actions. If you want to stop a user from using your keys you can stop generating new tokens for them. http://awsdocs.s3.amazonaws.com/STS/latest/sts-api.pdf

---

Specifically to S3 if you're creating an application to allow people to upload content. The only way to protect your account and the information of the other users is to make them register an account with you.

1. The first step of the application would be to authenticate with your server.
2. Once your server authenticates you make a request to amazons token server and return a token
3. Your application then makes a request using the keys built into the exe and the token.
4. Based on the permissions applied to this user he can upload only to the bucket that is assigned to him.

If this seems pretty difficult then you're probably not ready to design an application that will help users upload data to S3. You're going to have significant security problems if you only distribute 1 key even if you can hide that key from the user they would be able to edit any data added by any user.

The only way around this is to have each user create their own AWS account and your application will help them upload files to their S3 account. If this is the case then you don't need to worry about protecting the keys because the user will be responsible for adding their own keys after installing your application.