0

I'm new to using AWS Services and Django together and I'm having trouble finding information around best practices for storing your aws creds for Django to access?

I have a basic django application that's connected to an S3 bucket, so I need to be able to use boto to invoke the connection to the bucket. But I'm not sure how to go about storing the aws credentials I would need to pipe into my boto functions to use any of the services.

I have read in a few places of people putting their aws credentials into the settings.py file within their django project, but this doesn't really feel secure to me. I also looked into AWS Secrets Manager, but it looks to me as though it's more suited for keys related to other services.

Could anyone perhaps explain what my other options are, or why storing them in settings.py is perhaps a safe option?

Really not certain on the best way to go about this one.

Jaimee-lee Lincoln
  • 365
  • 1
  • 3
  • 11
  • 1
    Is your Django app running on AWS? Use an IAM role e.g. [for EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html). If you're using django-storages then check that it supports IAM roles / EC2 instance profiles. – jarmod Apr 28 '23 at 01:18
  • I haven't exactly decided how I'll deploy yet, but this is really helpful. Something I can definitely do some research on. Thank you! – Jaimee-lee Lincoln Apr 28 '23 at 01:34
  • 1
    See [Use Django-Storages with IAM Instance Profiles](https://stackoverflow.com/questions/46307447/use-django-storages-with-iam-instance-profiles). – jarmod Apr 28 '23 at 01:45

1 Answers1

3

With secrets, there are always 2 problems:

  1. Which secret store to use, and
  2. How to secure the credentials to access the store

AWS has parameter store, which is suitable for storing secrets. Secrets Manager is also suitable. The key difference is Secrets Manager is not free and offers key rotation capabilities. So there goes problem number 1.

For problem number 2, like any other AWS services, parameter store is secured behind IAM. If your Django application runs outside AWS, I think there is no other choice but to let it store the credentials. If it is running inside AWS, however, there is usually a way to associate an IAM role to it. Then, as long as the IAM role has the necessary permission, it should be able to access your secret store.

Register Sole
  • 3,206
  • 1
  • 14
  • 22
  • Thank you, this was super helpful! Just to clarify, it sounds like deploying using EC2 or some other AWS deployment option will make it a lot easier for me to store and access the keys? – Jaimee-lee Lincoln Apr 28 '23 at 01:44
  • @Jaimee-leeLincoln I think Aws parameters is diff thing. Whether you use aws ec-2 or Digital Ocean. but to get credentials/Secrets for your app you just have to call endpoints provided by `aws parameter service`. it doesn't matter if you access it from ec-2 or any other service. correct me if I'm wrong! and yes you will need aws access id and secret key to fetch parameters you stored. – Hemal Patel Apr 28 '23 at 04:49
  • 1
    not necessarily - if the ec2 instance has the correct IAM role, you don't need the secret key - we assume that our server may access the secrets by giving the correct permissions and simply access them in our application (IAM Assume Role it is - https://4sysops.com/archives/store-secrets-in-aws-secrets-manager/) – FabianClemenz Apr 28 '23 at 05:34
  • @FabianClemenz but to access/setup IAM role you need access key and secret right? – Hemal Patel Apr 28 '23 at 05:42
  • you need access to the AWS Controlcenter - but not access key and secret :) – FabianClemenz Apr 28 '23 at 07:01
  • @Jaimee-leeLincoln Yes! For example with EC2, you can [attach](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role) a role to it so that you don't need to physically store any credentials. AWS tools like the CLI and boto3 will usually automatically use it. – Register Sole Apr 29 '23 at 06:31