Reputation: 2890
How to handle IAM credential rotations when accessing AWS services
We have an API Gateway configured to receive external calls to put objects to our S3 bucket. When trying to do it programmatically in Java we have to get the Access Key and Secret Access Key and attach it to the request to AWS.
Our service (Salesforce) that calls the API gateway resides externally to the AWS service and the Access Key and Secret Access Key of an IAM user we are using rotates monthly which means, in the worse case, we have to manually get these keys and copy them over to the specific location.
This does not seem to be an elegant solution, can anyone with experience provide better ways to do it?
Upvotes: 0
Views: 84
Answers (1)
Reputation: 269540
AWS IAM allows two Access Keys to be active simultaneously. This permits a long rotation period.
For example:
- Access Key 1 is in use and is stored in Salesforce
- At end of month:
- A 2nd Access Key is generated
- Both keys are valid
- The new key is copied into Salesforce
- Wait 24 hours, then delete the previous key
This allows for a longer "transition period", without having to perform updates in both systems simultaneously.
The above AWS processes can be performed by via API calls. If the external system also permits credential updates via API, then this entire operation can be automated.
Upvotes: 1
Related Questions
- Is it possible to mix IAM authorization and an API key with AWS API Gateway?
- creating iam user and aws secrets via iam:passrole
- IAM user security credentials not reflected in AWS credentials file
- AWS IAM Authentication
- Provide AWS account ids access to API Gateway
- AWS API Gateway IAM Authentication
- IAM policy for API Gateway invocation based on Cognito Identity ID
- Pass IAM identity of AWS API-Gateway calls to backend server
- How does AWS IAM Role rotate access keys, is it possible to configure it?
- AWS: how to manage authentication for multiple accounts