Menu
I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table.
What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2).
These are the relevant parts of the function:
h = httplib2.Http()
auth = base64.encodestring('myuser' + ':' + 'mysecretpassword')
(response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {'Authorization':'Basic ' + auth,'Accept':'application/xml;version=5.7'})
and then
conn = boto.connect_dynamodb(aws_access_key_id='FAKEhhahahah',aws_secret_access_key='FAKEdhdhdudjjdjdjhdjjhdjdjjd')
How would you go about cleaning the code by NOT having these credentials inside the function?
FYI this function is scheduled to run every 5 minutes (there is no other external event that triggers it).
368
In your example you have 2 types of credentials:
With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go.
With non AWS creds the most secure approach would be:
kms.encrypt('foo'))
177
The cleanest way is to grant DynamoDB privileges to the LambdaExec role. Your boto connect becomes:
conn = boto.connect_dynamodb()
Or check the IAM policies attached to the user whose creds you are providing to boto connect. Pick and choose the policies from that list and grant those privileges to LambdaExec role. Also take a look at: Easy Authorization of AWS Lambda Functions
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
