0

I have a scenario where I have created an IAM user for customer's application for access of API gateway and have shared the user keys (access-code and secret-key) with them. I need to rotate the keys for them every 90 days but since the access keys for IAM user are configured in the code, I need to convey the changed access keys so that they can make the code changes/configuration changes in the application, test and deploy the application again. This adds an overhead to communicate the changes every 90 days both for me and the customer.

I want to follow key rotation without needing to change the code (codebase/configuration). How can it be achieved?

Is there a better way to provide access to customer's application?

Thanks.

divyum
  • 1,286
  • 13
  • 20
  • 1
    Embedding IAM credentials in client software is almost universally considered a dangerously unsafe practice, with limited exceptions for code running in secure/trusted environments where role credentials aren't usable. Your question is a little bit confusing because you seem to be using the word "client" to alternately mean "software that accesses my endpoint" and "customer." Both uses are valid, of course, but seen together it is unclear what level of awareness your customer has, that your access keys are embedded. Can you clarify this, and describe the scenario more fully? – Michael - sqlbot Nov 04 '19 at 19:55
  • 1
    @Michael-sqlbot: I have edited the question for better clarity. However to summarize, I needed to know if there is any way to rotate the keys without making any changes in the code or configuration in the SDK (any language) being used in the application? – divyum Nov 05 '19 at 06:55

1 Answers1

0

Assuming that your client is using an AWS SDK to communicate with AWS, then they should:

  • Remove the credentials from their code
  • Create a ~.aws/credentials file to store the credentials

Tip: An easy way to create the credentials file is via the AWS Command-Line Interface (CLI) aws configure command.

Then, you could rotate credentials with these steps:

  • Generate a second Access Key/Secret Key and communicate it to the client
  • They replace the credentials in the credentials file and tell you that this is done
  • You disable/delete the original Access Key
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • I understand this is one such way but this will also need communication and configuration changes and maybe a deployment. My question is more around a way where I do not need to do any such thing, the application/script should automatically rotate the keys and the client's application should be able to pick the changes without any further changes. – divyum Nov 05 '19 at 06:59
  • Can you tell us more about the client and their application? Do you only have one "client"? Or is this an application that is used by hundreds of users who are "clients"? Have you considered granting the client permission to rotate their own keys on their IAM account? They would make API calls to AWS to generate the new key and disable the old key. – John Rotenstein Nov 05 '19 at 23:28
  • The client is Java Client (single client being used in an application). Have you considered granting the client permission to rotate their own keys on their IAM account? ---> Not yet looked, I can look into this. – divyum Nov 06 '19 at 07:22