CODEWITHSUNDEEP
angularamazon-web-services
methuselah
methuselah

Reputation: 13206

Handling AWS credentials within an Angular app

I have an Angular application that makes use of the following AWS credentials:

  awsAccessKeyId
  awssecretAccessKey
  awsBucket
  awsEndpointUrl
  awsRegion
  awsKey

I wanted to store them in the environment.ts file of my application but have been told that it is a bad idea. Where else can I store them? I was thinking Firebase, but only allowing the document to be read with an authenticated user with a particular UID via an API call.

Upvotes: 1

Views: 2394

Answers (2)

Arun Kamalanathan
Arun Kamalanathan

Reputation: 8593

As you said, it's not safe to store AWS credentials in the frontend javascript files since it's publicly readable by anyone who can access your website.

I suggest you develop a server-side API and call the API from your angular application. The API is used to talk to aws services. In this way, you do not have to store the aws credential in the static website.

Using an API

Create an API to talk to AWS services.

User login

The angular should be protected by login to allow users to authenticate against an authentication service (such as Amazon Cognito) or your own authentication API. Once the user is successfully logged in, The authentication service will return a token of some sort. You can store this token in the browser's Local Stoage.

call your api

When you call the API endpoint, you will need to provide this token. The API should verify the token before allowing the call to proceed.

Reference: https://www.techopedia.com/definition/27674/html5-local-storage

Hope this helps.

Upvotes: 1

Shadab Faiz
Shadab Faiz

Reputation: 2508

Storing such credentials in the environment file is discouraged because generally, environment files are committed into the git.
1. If it repository is public, then all of your credentials are available for public (mis)use.
2. If the repository is private, then also there may come such a situation where multiple people are working on same project but only very few people will need these credentials and not everyone.
3. In your case, if you get the AWS credentials in the front end, then anyone can get those credentials from the network tab (easiest way) and will be able to (mis)use it.

How / Where you should store such credentials depends upon your use case. There cannot be an answer which would fit everyone's need. Though there are few good approaches for it:
1. Keep the environment file out of the repository, and distributed it to developers as they need it.
2. Like you mentioned, storing it in a separate place and fetching them during runtime.
3. If you have a backend, then instead of fetching the credentials on the front end and then accessing the cloud service, store the credentials on the backend, and access the cloud service through the backend. (recommended)

There can be many other ways also to tackle this problem but they would also depend upon those projects.

Upvotes: 2

Related Questions