Reputation: 6063
How to (properly) use external credentials in an AWS Lambda function?
I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table.
What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2).
These are the relevant parts of the function:
h = httplib2.Http()
auth = base64.encodestring('myuser' + ':' + 'mysecretpassword')
(response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {'Authorization':'Basic ' + auth,'Accept':'application/xml;version=5.7'})
and then
conn = boto.connect_dynamodb(aws_access_key_id='FAKEhhahahah',aws_secret_access_key='FAKEdhdhdudjjdjdjhdjjhdjdjjd')
How would you go about cleaning the code by NOT having these credentials inside the function?
FYI this function is scheduled to run every 5 minutes (there is no other external event that triggers it).
Upvotes: 7
Views: 3365
Answers (2)
Reputation: 35109
In your example you have 2 types of credentials:
- AWS creds
- None AWS creds
With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go.
With non AWS creds the most secure approach would be:
- Encrypt credentials upfront using kms service. (
kms.encrypt('foo')) - Once you have encrypted version of your information. Feel free to store it anywhere you want. Simplest way would be hard code it in lambda.
- Add permission to lambda IAM Role to decrypt information using kms key that you used in step 1.
- Then each time lambda is invoked, let it call kms to decrypt information.
Upvotes: 8
Reputation: 52385
The cleanest way is to grant DynamoDB privileges to the LambdaExec role. Your boto connect becomes:
conn = boto.connect_dynamodb()
Or check the IAM policies attached to the user whose creds you are providing to boto connect. Pick and choose the policies from that list and grant those privileges to LambdaExec role. Also take a look at: Easy Authorization of AWS Lambda Functions
Upvotes: 4
Related Questions
- How to use a global variable in a function?
- How do I use threading in Python?
- Can an AWS Lambda function call another
- How to test credentials for AWS Command Line Tools
- How can I flush the output of the print function?
- Download an already uploaded Lambda function
- How do I make function decorators and chain them together?
- How to pass a querystring or route parameter to AWS Lambda from Amazon API Gateway
- How to properly ignore exceptions
- How to use access credentials in code instead of environment variables with PynamoDB