{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 做个烂人 的问题《How to (properly) use external credentials in an A》','https://www.manongdao.com/q-633775.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table.
What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2).
These are the relevant parts of the function:
h = httplib2.Http()
auth = base64.encodestring('myuser' + ':' + 'mysecretpassword')
(response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {'Authorization':'Basic ' + auth,'Accept':'application/xml;version=5.7'})
and then
conn = boto.connect_dynamodb(aws_access_key_id='FAKEhhahahah',aws_secret_access_key='FAKEdhdhdudjjdjdjhdjjhdjdjjd')
How would you go about cleaning the code by NOT having these credentials inside the function?
FYI this function is scheduled to run every 5 minutes (there is no other external event that triggers it).
The cleanest way is to grant
DynamoDBprivileges to theLambdaExecrole. Your boto connect becomes:Or check the IAM policies attached to the user whose creds you are providing to boto connect. Pick and choose the policies from that list and grant those privileges to
LambdaExecrole. Also take a look at: Easy Authorization of AWS Lambda FunctionsIn your example you have 2 types of credentials:
With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go.
With non AWS creds the most secure approach would be:
kms.encrypt('foo'))