问题
I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table.
What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2).
These are the relevant parts of the function:
h = httplib2.Http()
auth = base64.encodestring('myuser' + ':' + 'mysecretpassword')
(response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {'Authorization':'Basic ' + auth,'Accept':'application/xml;version=5.7'})
and then
conn = boto.connect_dynamodb(aws_access_key_id='FAKEhhahahah',aws_secret_access_key='FAKEdhdhdudjjdjdjhdjjhdjdjjd')
How would you go about cleaning the code by NOT having these credentials inside the function?
FYI this function is scheduled to run every 5 minutes (there is no other external event that triggers it).
回答1:
In your example you have 2 types of credentials:
- AWS creds
- None AWS creds
With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go.
With non AWS creds the most secure approach would be:
- Encrypt credentials upfront using kms service. (
kms.encrypt('foo')) - Once you have encrypted version of your information. Feel free to store it anywhere you want. Simplest way would be hard code it in lambda.
- Add permission to lambda IAM Role to decrypt information using kms key that you used in step 1.
- Then each time lambda is invoked, let it call kms to decrypt information.
回答2:
The cleanest way is to grant DynamoDB privileges to the LambdaExec role. Your boto connect becomes:
conn = boto.connect_dynamodb()
Or check the IAM policies attached to the user whose creds you are providing to boto connect. Pick and choose the policies from that list and grant those privileges to LambdaExec role. Also take a look at: Easy Authorization of AWS Lambda Functions
来源:https://stackoverflow.com/questions/36225031/how-to-properly-use-external-credentials-in-an-aws-lambda-function