Python – How to protect the AWS access id and secret key in the python application

amazon-web-servicespython

I'm making an application in Python and using Amazon Web Services in some modules.

I'm now hard coding my AWS access id and secret key in *.py file. Or might move them out to an configuration file in future.

But there's a problem, how can I protect AWS information form other people? As I know python is a language that easy to de-compile.

Is there a way to do this?


Well what I'm making is an app to help user upload/download stuff from cloud. I'm using Amazon S3 as cloud storage. As I know Dropbox also using S3 so I'm wondering how they protects the key.


After a day's research I found something.
I'm now using boto (an AWS library for python). I can use a function of 'generate_url(X)' to get a url for the app to accessing the object in S3. The url will be expired in X seconds.
So I can build a web service for my apps to provide them the urls. The AWS keys will not be set into the app but into the web service.

It sounds great, but so far I only can download objects with this function, upload doesn't work. Any body knows how to use it for uploading?


Does anyone here know how to use key.generate_url() of boto to get a temporary url for uploading stuff to S3?

Best Answer

There's no way to protect your keys if you're going to distribute your code. They're going to be accessible to anyone who has access to your server or source code.

There are two things you can do to protect yourself against malicious use of your keys.

  1. Use the amazon IAM service to create a set of keys that only has permission to perform the tasks that you require for your script. http://aws.amazon.com/iam/

  2. If you have a mobile app or some other app that will require user accounts you can create a service to create temporary tokens for each user. The user must have a valid token and your keys to perform any actions. If you want to stop a user from using your keys you can stop generating new tokens for them. http://awsdocs.s3.amazonaws.com/STS/latest/sts-api.pdf


Specifically to S3 if you're creating an application to allow people to upload content. The only way to protect your account and the information of the other users is to make them register an account with you.

  1. The first step of the application would be to authenticate with your server.
  2. Once your server authenticates you make a request to amazons token server and return a token
  3. Your application then makes a request using the keys built into the exe and the token.
  4. Based on the permissions applied to this user he can upload only to the bucket that is assigned to him.

If this seems pretty difficult then you're probably not ready to design an application that will help users upload data to S3. You're going to have significant security problems if you only distribute 1 key even if you can hide that key from the user they would be able to edit any data added by any user.

The only way around this is to have each user create their own AWS account and your application will help them upload files to their S3 account. If this is the case then you don't need to worry about protecting the keys because the user will be responsible for adding their own keys after installing your application.