Reputation: 1023
Where to keep AWS SDK config credentials needed for an html page
I have a single HTML page that has all JavaScript logic inside it. I am using AWS SDK by importing it like:
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.978.0.min.js"></script>
Whenever I try to make a call to AWS Secrets manager, I am getting CredentialsError: Missing credentials in config because my page does not know my accessKey and secretKeyId.
If I add the following snippet in my code:
AWS.config.update({
accessKeyId: "XXXXXXX",
secretAccessKey: "XXXXXXXXXXXXXXXXX"
})
Everything works as expected, however I am exposing my credentials to anyone that has access to that file. What is the best practise to store these credentials, how can I make sure I obtain them safely for my use case - a single HTML page?
Upvotes: 0
Views: 335
Answers (3)
Reputation: 105
I would consider using AWS Cognito and authorize using IAM roles. You can check out AWS Amplify, for complete tutorials on how to set it up. It will be more effort but the only way to keep access keys out of your front-end code. Please, never compile your access key and secret key into your front-end.
I can imagine the investigation effort of my suggested approach might be to much, here is a quick approach to get you started using the AWS Management Console:
- Find the AWS Cognito service
- Select Federated Identities
- Create New Identity pool
- Add poolname
- Tick the checkbox 'Enable access to unauthenticated identities'
- Click 'save'
- Now you can set up IAM roles for the Identity Pool, make sure to edit the unauthorized role policy to enable access to the required services.
// example policy document, allowing full access to all services.
// never deploy this to production, only give access to services that are required.
// always adhere to the principle of least privilege.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
When you are happy about the IAM policies added to your roles, click 'allow'
Now you should get a screen with code snippets on how to authorise the SDK properly.
// Initialize the Amazon Cognito credentials provider
AWS.config.region = 'us-east-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:<your identitypool ID>',
});
Additionally, please read up on how to stay safe on AWS
Upvotes: 1
Reputation: 10704
Becasue you are using the AWS SDK for JavaScript, read the official AWS Docs for using the AWS SDK for JavaScript and how to handle creds. See this topic in the Developer Guide for JavaScript SDK Version 3:
Upvotes: 0
Reputation: 141
How one of the solutions you can use Vault by HashiCorp and store your AWS secrets here. Anyone will see the only path to the secrets in the Vault instead of secrets.
Upvotes: 0
Related Questions
- Where does AWS Secrets Manager get AWS Credentials?
- Location to put credentials file for AWS PHP SDK
- How to store JKS certificate in AWS Secret Manager?
- Where to store the accessKey and secretKey for AWS Secrets Manager in Spring Boot
- AWS Secrets Manager and javascript
- Where to keep the Initial Trust credentials of a Secrets Management tool?
- Where to store AWS credentials in ECS service
- Where to store AWS keys in Rails?
- How to store AWS access keys in production (and use them in my code)?
- Where is the most secured place to store Amazon AWS Id and secret key?