I am wondering if its safe enough to put the AWS Api Credentials (or credentials in general) in a .conf file? I dont think so and want to ask if there is any easy to use approach to encrypt and decrypt the credentials. I am using JAVA with Eclipse IDE. Does anyone have a hint for a newbie in this section?
What is the ".conf" file? Is it a configuration file for an application? If that's the case, then no, it's not safe enough.
Amazon has a document describing best practices for access keys. Their recommendation for applications is to attach a role to whatever is running the application (EC2 / ECS / Lambda).
The biggest benefit of using a role is that the credentials it provides are temporary: they have a maximum lifetime of 12 hours, and a default lifetime of 1 hour. So if someone manages to extract them from your server, they won't be able to do long-term damage (unlike the "permanent" access keys associated with users).
While that helps, you still need to restrict the scope of those credentials (ie, don't use wildcards in their permission policies). And you should be monitoring your deployment for invalid credential use (ie, an API call that is made from somewhere outside of your VPC).
If you're talking about credentials for development use, AWS already has a place to store those. However, you don't need to store credentials anywhere if you use AWS Single-SignOn, which gives you limited-lifetime credentials for CLI/SDK use.
And if you're talking about credentials for a mobile application, look into Cognito and AWS Amplify.
Related
Let's say we have a very simple Java application, that edits resources on remote servers, that it authenticates with using Access Tokens. Application always uses the same identity, so it is always using the same client id, secret and refresh token to obtain access token.
The whole authentication process is supposed to go through without user intervention and app should perform actions automatically triggered by the user from another application. The other app is sending HTTP requests, but the whole thing would only be accessed in internal network and there would be no "legal" way to access it outside of it.
Is there a way to keep this data (refresh token, client id, secret...) securely within my application?
I have seen similar questions, but they all talked about websites and cookies, but this is supposed to happen under the hood, without any frontend etc. so I don't think those apply to my issue.
Edit: the application will be deployed on an internal server so it's not a Desktop solution. Basically there is an internal app that will send HTTP request to mine, triggering edit on a remote server that is outside of the internal network.
It is not a good idea to store client secrets, access tokens, refresh tokens etc in persistence storage unless it is stored in a secret store (like Vault). But there are other options.
If you are using Spring then you can use Spring OAuth2RestTemplate or else you can write something similar by looking at the code.
It acquires or renews an access token transparently and caches to avoid round trips to Authorization server.
The simplest option is to use memory storage, but if that diesn't work because you need to deal with restarts etc, operating systems provide per-user secure storage. This is a model sometimes used by OAuth desktop or console clients:
Credential Manager on Windows
Keychain on macOS
Passwords and Keys on Linux
It would require some native interop to interact with these credential stores, via use of a library such as java-keytar.
DESKTOP EXAMPLE
For something to compare against see these resources of mine:
Node.js desktop keytar code
This blog post has some related screenshots towards the end
I am following: AWS Docs to setup the credentials. The problem is that it requires me to create a .aws folder in the machine. I want to get the keys and other secrets from a custom location. How can it be achieved?
P.S. If I follow the tutorial recommendation then all machines running the project would have to setup that .aws folder which would be a big hassle for everyone.
Where exactly would you suggest getting the credentials from? You could store them somewhere else, like a HashiCorp Vault server, and write a script or something to pull the values and set them as environment variables, but then you'll need to figure out how to give each computer secure credentials to access the Vault server.
If by "custom location" you simply mean a different local file system location, like a mapped drive or something, then you can specify that using the AWS_CREDENTIAL_PROFILES_FILE environment variable. Although it sounds like you want to do this on multiple people's workstations, and I would caution against sharing credentials files in that scenario. You really want to assign each person different AWS access keys so that you can track each person's AWS API actions, and revoke one person's access if they leave the company or something.
I recommend reading this page for understanding all the options to configure credentials for the AWS SDK.
Assuming you are using Amazon EC2 to host your application, then you can use IAM role to grant permissions, by attaching IAM role to your EC2 instances.
Furthermore, using IAM role avoid storing sensitive credential file in your instances.
Read this document, or watch this video to implement it.
My java service will run on my computers (let's say I'll have more than 1000 computers) and will send some data to S3. I use AWS Java SDK for it.
If I'm right, for doing it I need to use access key & secret key on my computers. (let's say it will be in .aws/credential file)
I read a lot of AWS documentation about the best practices for resources programmatic access, but still can't understand it.
Rotating access keys. After an access key is rotated, how can I change it in all applications that run my computers? Should my application be self-updated?
Temporary credentials. In this approach I still need to have access key & secret key on my computers. If yes, I have the same problem as in Q1.
Can somebody advise me what the best way and secure to programmatically access AWS resources in my situation? What do I need to do with access key & secret key?
Thank you.
UPDATES:
Computers are in different networks
Java app sends to S3 and also reads from S3
New computers can be added every time
The computers will need AWS credentials to talk with S3.
The simplest way is to store the credentials on each computer. However, as you say, it makes it hard to rotate the keys.
Another option is to store the credentials in a database that they can access, so they always get the latest credentials. However, they will need some sort of login to access the database.
Alternatively, you could setup identity federation, so that that the computers can authenticate against something like Active Directory, and then you can write a central service that will provide temporary credentials to each computer.
The process is basically:
The computers authenticate to AD
They call your service and prove that they are authenticated to AD
Your service then calls STS and generates temporary credentials valid for up to 36 hours
It provides those credentials to the computers
See: GetFederationToken - AWS Security Token Service
AFAIK you need to ensure that your application on computer has up-to-date access key. My recommendation is to store the access key on centralized place from which application will retrieve it. Thus, once you rotate the key and update the centralized storage, it will be reflected in all your application instances.
The AWS Java SDKs use a credential chain. The credential chain just means the SDK will look for credentials in 6 different places in this order:
Java system properties–aws.accessKeyId and aws.secretAccessKey. The AWS SDK for Java uses the SystemPropertyCredentialsProvider to load these credentials.
Environment variables–AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The AWS SDK for Java uses the EnvironmentVariableCredentialsProvider class to load these credentials.
The default credential profiles file– The specific location of this file can vary per platform, but is typically located at ~/.aws/credentials. This file is shared by many of the AWS SDKs and by the AWS CLI. The AWS SDK for Java uses the ProfileCredentialsProvider to load these credentials.
You can create a credentials file by using the aws configure command provided by the AWS CLI. You can also create it by editing the file with a text editor. For information about the credentials file format, see AWS Credentials File Format.
Amazon ECS container credentials– This is loaded from Amazon ECS if the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. The AWS SDK for Java uses the ContainerCredentialsProvider to load these credentials.
Instance profile credentials– This is used on Amazon EC2 instances, and delivered through the Amazon EC2 metadata service. The AWS SDK for Java uses the InstanceProfileCredentialsProvider
to load these credentials.
https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html
I searched a lot, but it seems impossible to find a solution from start to finish to this topic. As a premise, I've already implemented Cognito sign-up, sign-in and refresh of credentials in two native apps for both iOS and Android, so I have developed a (at least) basic understanding of the authentication flow.
These mobile apps use the simplest cognito setup possible: a user pool, an identity pool with a IAM role for authenticated users and no unauthenticated usage possible. I'm not using (at least for now) Facebook, Google or Amazon login, nor other authentication methods.
Now I need to make a desktop version of those apps in Java, and it seems to me a completely different beast. What I would like to do is this:
Open the login window in my Java desktop application;
Insert username and password in their fields and press a login button;
Getting some credentials and start using the application connecting to other AWS services, specifically I need to use S3, Lambda and DynamoDB.
The way to achieve this is on paper reasonably simple:
Get a token from a Cognito user pool;
Give this token to a Cognito identity pool in exchange for some credentials;
Use this credentials to access other AWS services.
After reading a lot of documentation, downloading a lot of different projects examples and a lot of despair, I've eventually found the way to implement this in the mobile apps. For example, in Android the authentication flow works like this:
Instantiate a CognitoUserPool, using a UserPoolID, an AppClientID, a PoolRegion and (optionally) a ClientSecret;
Instantiate a credential provider, using an IdentityPoolID and a PoolRegion;
In the app UI, insert a username and password, and press the Login button;
Retrieve a CognitoUser using that username from the UserPool instantiated earlier;
Get a CognitoUserSession for that CognitoUser, using an AuthenticationHandler with various callbacks to pass the password when needed;
Add that CognitoUserSession to the credentials provider instantiated earlier, in form of a TokenKey + the JWT token extracted from the session.
At this point, whenever I need to access S3, Lambda or DynamoDB, I simply pass this credentials provider as a parameter for their clients constructors.
To implement the same functionality with the Java SDK seems to me much more difficult.
I managed to implement users Sign-Up fairly easily. However with users Sign-In I don't know where to start at all.
Every example does this in a different way. On top of that, every example uses particular use cases such as developer authenticated Sign-Ins, or custom urls to connect to some owned backend. Why is so difficult to find an example for a basic use case like the one I need? I'm starting to think my basic use case is not basic at all, but rather atypical. Why would login with a username and a password against the default users/credentials service for AWS be atypical, however, I don't really know.
The best I've done so far is copying the relevant classes from this example project (from which I've also taken the Sign-Up part, that works pretty well) and getting to print the IdToken, AccessToken and RefreshToken in the console. They are printed correctly and are not null.
What I cant't really understand is how to get the credentials and add them to a credentials provider in order to instantiate the clients to access other AWS services. The only way I see in the project to do that is to call the method
Credentials getCredentials(String accessCode)
which I suppose it should accept the access code retrieved with the InitAuth method (that starts an OAuth2.0 authentication flow, please correct me if I am wrong). The problem is that I can't find a way to retrieve that code. I can't find an online example of an access code to see how it looks. I tried to put one of the tokens and the web request responds
{"error":"invalid_grant"}
which suggests its not a valid code, but at least the web request is valid.
To make it more clear, what I can do is this:
String username; //retrieved from UI
String password; //retrieved from UI
//I copied AuthenticationHelper as is from the project
AuthenticationHelper helper = new AuthenticationHelper(POOL_ID, CLIENT_APP_ID, CLIENT_SECRET);
//I then retrieve the tokens with SRP authentication
AuthenticationResultType result = helper.performSRPAuthentication(username, password);
//Now I can successfully print the tokens, for example:
System.out.println(result.getAccessToken());
How can I retrieve the credentials from here? Where I should put the identity pool id? In Android I simply add the JWT token to an HashMap and use it like
credentialsProvider.setLogins(loginsMap).
Furthermore, this project contain classes with hundreds of lines of code, BigInteger variables, hardcoded strings of many lines of random characters (some sort of key or token I suppose) and other black magic like that (especially in the AuthenticationHelper class). Another thing I don't like about this solution is that it retrieves credentials through manually written web requests (with another separated class created ad hoc to make the request). Really isn't there in the Java SDK some handy method that wraps all those things in a bunch of elegant lines of code? Why call it an SDK than? The iOS and Android SDKs handle all that on their own in such a simpler way. Is this due to the fact that they expect a developer of desktop app to be way more able/expert, in contrast to the average guy that some day, getting up from bed, decides to make an iOS/Android app [alludes to himself]? This would explain their effort to make the mobile SDKs so developer-friendly in comparison.
Onestly I find really hard to believe that I have to do that, reading who knows what on a doc page who knows where, to Sign-In a user, which makes me think that I'm really missing something. I literally read every stack exchange question and documentation I was able to find. The fact is that there is almost always an AWS documentation page for what I need, but to actually find it is not so simple sometimes, at least for Cognito documentation.
I read that I can put a file with the needed credentials in the PC filesystem and the Java SDK will use those credentials to access all the resources, however from my understanding this method is reserved to Java applications running on a server as a backend (servlets), where the end user can't access them through his browser. My application is a desktop app for end-users, so I can't even consider to leave AWS credentials on the user PC (please correct me if I'm wrong, I would really love to make something so simple).
What really scares me is that Sign-In with a user pool and identity pool might not be possible at all. I know that Cognito related stuff was added to the Java SDK much later it was available for iOS, Android and JavaScript. But if they added it, I suppose It should support an authentication flow at least similar to those of the mobile counterparts.
What worsen the problem even more is that I initially made all the functionalities of my application to work offline. I thought that I would have eventually integrated AWS in the app. In this way the application is a bit more modular, and the AWS related stuff in concentrated in a package, detatched from the rest of the application logic and UI. In my sea of ignorance this seems a good practice to me, but now, if I cannot manage to resolve this problem, I've thrown months of work in the trash, only to realize that I have to build a web app beacuse JavaScript is much more supported.
Even on MobileHub the only options to create a ClientApp on Cognito is for iOS, Android, JavaScript and React-something.
When documentation or examples are provided for other languages/SDKs, Java is often omitted and the most frequent I see among the options is .NET.
To make my frustration even bigger, everytime I search something on a search engine, the fact that the word "Java" is contained in the word "JavaScript" obfuscates the few results that could be useful, because all the JavaScript SDK related stuff is generally higher ranked in the search engines than Java's (this could explain in part why .NET related stuff seems more easy to find, at least on StackOverflow or others Q&A sites).
To conclude, all of this created some questions in my head:
Why so few people seem to need this authentication method (with username and password)? It seems to me a pretty common and reasonable use case for a desktop application. I know that web apps growth is through the roof, but given that Java is one of the most used languages today, how is it possible that nobody needs to do a simple login from a desktop application? Which leads to the next question:
Is there something inherently bad/wrong/risky/stupid in using the Java SDK for a desktop application? Is it intended only for usage on a server as backend or for a web app? What should be the solution than, to make a desktop application that connects to AWS services? It is wrong to do an AWS connected desktop app at all? Should a web app the only option to consider? Why? I opted for Java to implement an application that would run on Widows, macOS and Linux. I also chose Java because i thought it would be mostly similar to the Android SDK in its usage, given its code should be indipendent from the platform UI, making simple to reuse code. I was wrong.
If there's nothing wrong in using the Java SDK like this, could some
good soul please help me find an example that goes from putting a
username and a password in two fields, and instantiate a client to
access other AWS services (such as an S3 client) in a Java desktop
application?
Tell me everything you need to know and I'll edit the question.
Please someone help me, I'm loosing my mind.
Probably too late for the OP but here is the process I used to get credentials from Cognito after obtaining the JWT identity token. Once the JWT is obtained through SRP Authentication I got the Identity Id using the Federated Pool Id and passing a login map of the Cognito Idp Url and the JWT. The url is completed with your aws region and your Cognito User Pool Id.
//create a Cognito provider with anonymous creds
AnonymousAWSCredentials awsCreds = new AnonymousAWSCredentials();
AmazonCognitoIdentity provider = AmazonCognitoIdentityClientBuilder
.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCreds))
.withRegion(REGION)
.build();
//get the identity id using the login map
String idpUrl = String.format("cognito-idp.%s.amazonaws.com/%s", REGION, cognitoUserPoolId);
GetIdRequest idrequest = new GetIdRequest();
idrequest.setIdentityPoolId(FED_POOL_ID);
idrequest.addLoginsEntry(idpUrl, jwt);
//use the provider to make the id request
GetIdResult idResult = provider.getId(idrequest);
return idResult.getIdentityId();
If you're using a different login provider then that url needs to change, but this should get the Identity Id. Next its a similar request to get the IAM credentials by passing the Identity Id and that same login map.
//create a Cognito provider with anonymous creds
AnonymousAWSCredentials awsCreds = new AnonymousAWSCredentials();
AmazonCognitoIdentity provider = AmazonCognitoIdentityClientBuilder
.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCreds))
.withRegion(REGION)
.build();
//request authenticated credentials using the identity id and login map for authentication
String idpUrl = String.format("cognito-idp.%s.amazonaws.com/%s", REGION, cognitoUserPoolId);
GetCredentialsForIdentityRequest request = new GetCredentialsForIdentityRequest();
request.setIdentityId(identityId);
request.addLoginsEntry(idpUrl, jwt);
//use Cognito provider to perform credentials request
GetCredentialsForIdentityResult result = provider.getCredentialsForIdentity(request);
return result.getCredentials();
This took me a full week to figure out. AWS Java documentation is pretty terrible in my opinion. Hopefully this helps someone out.
I'm developing an budgeting application that uses a set of tokens and secret keys to access an external financial service, where a token-secret pair map to a single account. In this system, a user can have multiple accounts and therefore multiple sets of token-secret pairs. The token and secret can be used to access the transactions for an account, which means that the token-secret pairs should be securely stored (and be guarded against nefarious access or tampering). Although these pairs should be securely stored, the external financial service API requires the token and secret in plaintext.
What is a secure technique for storing these credentials at rest but providing the external service API with the original, plaintext credentials?
My application is a REST-based Spring Boot application written in Java 9+. Although there have been other answers I've seen on this topic, many of them are specific to Android and use Android security techniques (as are thus not applicable to my application). This application also uses Spring Data MonogDB to store other non-sensitive information, but if another technology is required for satisfying the above security requirements, I am open to suggestions.
This is not a problem that can be solved inside Java.
The token and secret can be used to access the transactions for an account, which means that the token-secret pairs should be securely stored (and be guarded against nefarious access or tampering).
The fundamental issue is who you are securing this against:
If you are trying to secure it against the people who manage the platform, it is pretty much unsolvable1.
If you are trying to secure it against "ordinary" (i.e. non-privileged) users, then you can either rely on ordinary file system security (plus standard service "hardening"), or you can use something like a Spring Vault or a Hardware Security Module if local file system security is insufficient2.
If you are trying to secure against a hacker who might be able to acquire the privilege of a full administrator, this is probably unsolvable too. (Though a hacker may need to be sophisticated ... )
Note that you can do things like saving the secrets in a Java keystore, but in order to do that the JVM needs the secret key to the keystore in order to get the secret. And where do you store that secret?
Aside:
... many of them are specific to Android and use Android security techniques (as are thus not applicable to my application).
Those techniques typically assume that the platform itself is secure, and / or that it hasn't been "rooted" by the user.
1 - So, if your goal is to embed some secrets in an app that you give to a client to use ... give up. If that problem was solvable, priracy of software, music, videos, etcetera would have a simple and reliable technological solution. Clearly ... it hasn't.
2 - For a lot of purposes, it isn't sufficient. However, the decision should be based on an assessment the risks, and balancing risks versus the cost / severity of the consequences of security failure.