- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hi,
What you need in the use case that you describe are transient credentials. That is exactly what IAM roles are for.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
To ensure what you want, you have to:
- have the user create his secret(s) under Secrets Manager and be the owner of them (i.e. sole person able to decode them)
- when the user identifies to AWS / application, a role is created with an attached permission policy granting the permission to decode his secrets and with a trust policiy allowing the application execution role to assume this new role
- While the user is active, the application can assume the role to be able to decode and use the secrets
- when the user disconnets, the transient role is deleted. So, from this moment again, he is the only one to be able to access the secrets.
Best,
Didier
Hi Bhanu, I'm going to get a bit creative with the solution to better address your needs.
Your requirement looks like "every user needs to be able to see and use it's own secrets, and no one else, not even the app administrators"
I think you can achieve this mixing DynamoDB and Encryption mainly. The most straightforward way to achieve this secrecy is to encrypt the secrets using the user password and store them in DynamoDB. Your application would request the user password, you would retrieve the secrets from DynamoDB (encrypted) and then use the user pw to decrypt them. Then you would store the decrypted secrets in some session storage. Depending your implementation this may be a hassle, but you could also leverage encryption to help you out here, storing the session data in DynamoDB and using some client-saved secret key passed in each request to decrypt and use said session data. You also need to implement that whenever the user change their password (you could just expire their stored secrets, or decrypt and re-encrypt). A "I forgot my password" would necessarily invalidate them as well, unless you device some other method.
This is just a general idea on how to approach your solution, I hope it helps for brainstorming!
Lastly, if you have access to an AWS Solution Architect it would be ideal to run this project by him to help you design your solution!
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren