mreferre mreferre - 1 month ago 8
Python Question

How to (properly) use external credentials in an AWS Lambda function?

I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to:
1) an external web service
2) a DynamoDB table.

What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2).

These are the relevant parts of the function:

h = httplib2.Http()
auth = base64.encodestring('myuser' + ':' + 'mysecretpassword')
(response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {'Authorization':'Basic ' + auth,'Accept':'application/xml;version=5.7'})


and then

conn = boto.connect_dynamodb(aws_access_key_id='FAKEhhahahah',aws_secret_access_key='FAKEdhdhdudjjdjdjhdjjhdjdjjd')


How would you go about cleaning the code by NOT having these credentials inside the function?

FYI this function is scheduled to run every 5 minutes (there is no other external event that triggers it).

Vor Vor
Answer Source

In your example you have 2 types of credentials:

  1. AWS creds
  2. None AWS creds

With AWS creds everything simple: create IAM Role, give it permission to dynamodb and you good to go.

With non AWS creds the most secure approach would be:

  1. Encrypt credentials upfront using kms service. (kms.encrypt('foo'))
  2. Once you have encrypted version of your information. Feel free to store it anywhere you want. Simplest way would be hard code it in lambda.
  3. Add permission to lambda IAM Role to decrypt information using kms key that you used in step 1.
  4. Then each time lambda is invoked, let it call kms to decrypt information.