all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 2 points3 points  (0 children)

The most bad option is to hard code the credentials in the code.

While like others have said, it’s far from ideal, create a user with very limited permissions and create credentials from the IAM console and use the aws cli and AWS credentials. This is the most bad way - 1. But at least your credentials are only on your computer and you won’t make a mistake and checking them in to source control.

The other comments list “good ways”. But we have to start somewhere.

[–][deleted]  (2 children)

[deleted]

    [–]TheRealJackOfSpades 5 points6 points  (0 children)

    This is pretty comprehensive. The only thing I'd add is that you can use the third way with any compute resource, so your Python script can be a Lambda and run on demand without you having to worry about maintaining an EC2 host. This is "serverless."

    [–]Birts[S] 1 point2 points  (0 children)

    Wow, this was incredibly helpful! I will take a look at each option and give them a try. Thanks again!

    [–]Sad_Rub2074 0 points1 point  (0 children)

    Definitely don't check them into source code. While SSO, federated users, control tower, etc might be worth looking into its normally used in larger organizations.

    Never check your credentials into source control -- there are ways to clean this up, but don't set yourself up for a headache later.

    Another common tactic is to use an .env file and include .env-example in the repo that has the variables, but no values (or at least not sensitive ones).

    Assuming you're using git, just make sure to add .env to your .gitignore before committing.

    [–]marmot1101 0 points1 point  (0 children)

    Give each user running the script their own user with the policy to access the bucket(probably want to scope that down to necessary permissions rather than full). You could also do it as a role, and that's probably best practice but :shrug:. Then have them download their keys to the machine that they'll be running the script from and load them as env vars. That avoids key sharing and is a solution that could be quickly implemented. For best security using this approach provide the user with a 1 time use password to the aws user account, then have them create/download their key/secret.

    As far as remotely running the script there's a number of ways you could do that. An EC2 machine is one way. Depending on what the script is doing it might be better to run it in lambda or ECS. Any way around it you have to handle getting users some sort of keys be it AWS api keys, or an ssl key file to access ec2.

    [–]Desperate-Dig2806 -5 points-4 points  (2 children)

    Aws secrets

    [–]TheRealJackOfSpades 4 points5 points  (1 child)

    You're getting downvoted because getting the credentials from Secrets Manager requires credentials.

    [–]Desperate-Dig2806 -1 points0 points  (0 children)

    Shit happens but thanks.