Keep AWS secret key out of Javascript code

Question

I have a web app that is using AWS Lambda and API Gateway (protected by IAM) for the backend, the front end is built using React. I am trying to figure out what the best way is to keep the AWS Secret Key out of the production Javascript code, so far I can't find anything better than just obfuscating the key but that doesn't really solve anything.

So far in development I am using the apigClient and hard coding both the access key and the secret key.

Any help would be really appreciated.

Thank you.

Answer 1

AWS has an interface for environmental variables in their apps. It looks like these are the docs for Lambda. You should put any credentials in that interface and then you should be able to access them in your Lambda function. Locally, you can use an npm like dot-env and use an .env file to access your environmental variables. Or you can just add them in your command line. If you are going to use an .env file it is VERY IMPORTANT that your ignore that file in your .gitignore.

Answer 2

Everything you include in your javascript code will be readable in the browser, if someone inspects the source code of your final bundle.

If you want to be 100% sure your secret key remains hidden, you should do this authentication in the backend.

However, you can keep the secret keys out of the repo by setting them up as env variables.