How to (properly) use external credentials in an AWS Lambda function?

℡╲_俬逩灬. 提交于 2019-12-05 04:37:24

In your example you have 2 types of credentials:

  1. AWS creds
  2. None AWS creds

With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go.

With non AWS creds the most secure approach would be:

  1. Encrypt credentials upfront using kms service. (kms.encrypt('foo'))
  2. Once you have encrypted version of your information. Feel free to store it anywhere you want. Simplest way would be hard code it in lambda.
  3. Add permission to lambda IAM Role to decrypt information using kms key that you used in step 1.
  4. Then each time lambda is invoked, let it call kms to decrypt information.

The cleanest way is to grant DynamoDB privileges to the LambdaExec role. Your boto connect becomes:

conn = boto.connect_dynamodb()

Or check the IAM policies attached to the user whose creds you are providing to boto connect. Pick and choose the policies from that list and grant those privileges to LambdaExec role. Also take a look at: Easy Authorization of AWS Lambda Functions

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!