Best way to store AWS IoT credentials on a serverless node instance?

Question

My existing locally hosted server loads its iot identity + credentials like so:

function initIot() {
  var device = awsIot.device({
     keyPath: './iot_credentials/ident-private.pem.key',
    certPath: './iot_credentials/ident-certificate.pem.crt',
      caPath: './iot_credentials/rootca.pem',
    clientId: 'iot-server-1',
        host: endpoint
  });

..and I don't commit the private key & cert anywhere. It lives securely on the server disk.

How would I securely migrate this to serverless cloud9 setup running on codestar? Assuming I trust my AWS team, can I just store it in the project's files?

score 1 · Answer 1 · answered Dec 20 '17 at 03:17

Keep out the sensitive data from code regardless of the IDE. There are few options you can consider.

You can use a environmental variable in Lambda to store the file content.
Sore it in S3 private bucket with restricted access and retrieve it in code.
Use DevOps to append the config at CI/CD pipeline.
You can also use AWS KMS to store the sensitive data.

score 0 · Answer 2 · answered Dec 19 '17 at 22:05

0

As long as those files are properly restricted from public access, I think that's fine.

answered Dec 19 '17 at 22:05

rickjerrity

804
1
9
15

Best way to store AWS IoT credentials on a serverless node instance?

2 Answers2