SandeshSarfare
commented
8 years ago I am using javascript sdk in mobile app development.
Open SandeshSarfare opened 8 years ago
SandeshSarfare
commented
8 years ago I am using javascript sdk in mobile app development.
sapessi
commented
8 years ago We do not recommend using API keys for security. API keys are used primarily to meter API access. You should rely on some form of stronger authentication such as Sigv4 or an Oauth flow with custom authorizers. The pet store example uses Sigv4.
sirfak
commented
8 years ago Hi I have api gateway /auth endpoint which talks to my lamda function written in java which generates temporary credentials .
My question is that during Developement i use profile credential provider, so if depolyed what credential provider lamda function will use?how do i set env variable / property file or .aws file to provide credentials? Thanks in advance sirfak
sapessi
commented
8 years ago The "profile" for the Lambda function is based on the execution role you've configured for the function itself. From the Lambda console you can see the name of the execution role, use the IAM console to modify the access policy for the role and configure which services the Lambda function is allowed to communicate with
sirfak
commented
8 years ago If my java lamda function has code for eg AWSSecurityTokenServiceClient sts_client = new AWSSecurityTokenServiceClient(); Which is suppose to read credendtials from profile/environment/property as required in the credential provider chain during local developement(sirfak profile user for eg)
If i have understood your point, the api key and access key during lamda execution will be read from the execution role defined in lambda console and not for sirak user profile (the dev user) ?
sapessi
commented
8 years ago correct
I have deployed my rest API on amazon API gateway and I have a scenario in front of me with security concern. I am using an api key for all the api requests, I wanna know if the that api key is exposed somehow and as we know the same api key is being used by already published apps...Then what are my options?
Also as mentioned here I can have only 10000 API keys per AWS account if I want the api keys to be unique per user for it to be more secure but what if the number of user shoots out to be more than 10000.