Correct strategy for getting secrets on local go application-Golang-php.cn

Home

Backend Development

Golang

Correct strategy for getting secrets on local go application

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Feb 08, 2024 pm 10:42 PM

在本地 go 应用程序上获取机密的正确策略

php editor Banana brings you an article about the correct strategy for obtaining secrets for local Go applications. In modern application development, protecting the security of sensitive information is crucial. This article will share some effective strategies to help developers correctly obtain and use confidential information in native Go applications to ensure data confidentiality and integrity. Whether it's database passwords, API keys, or other sensitive information, proper handling and storage is key to keeping your application secure. Let’s dive into how to handle confidential information securely!

Question content

Playing a small project on aws:

golang application
rds/mysql database
Secret Manager
api gateway and lambda

I'm running the go application locally to verify interaction with the database, but I can't get it to work with the secret manager.

Use this sample code:

func getcreds() {
    config, err := config.loaddefaultconfig(context.todo(), config.withregion(region))
    if err != nil {
        log.fatal(err)
    }

    svc := secretsmanager.newfromconfig(config)
    input := &secretsmanager.getsecretvalueinput{
        secretid:     aws.string(secretname),
        versionstage: aws.string("awscurrent"),
    }

    result, err := svc.getsecretvalue(context.todo(), input)
    if err != nil {
        log.fatal(err.error())
    }

    var secretstring string = *result.secretstring
    log.printf("pwd: %s", secretstring)
}

I understand

operation error secrets manager: getsecretvalue, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no ec2 imds role found, operation error ec2imds

If I understand correctly, I need to add permissions to the user/policy. But where to add this? In the iam console? Or the secret manager console?

What should it be?

{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Principal": {"AWS": "<what to add here>"},
            "Resource": "<and here>"
        }
    ]
}

Workaround

go The application cannot find the credentials to use the aws api.

According to (Configuration Credentials) you can use this code to automatically use ~/.aws/config as your local credentials

sess := session.must(session.newsessionwithoptions(session.options{
    sharedconfigstate: session.sharedconfigenable,
}))

If you provide custom configuration, you must provide credentials. There are other methods, choose the one that works for you. aws proposed the above method.

This includes running with your user. For aws execution, you need to grant the lambda function access to the key:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c"
            ]
        }
}

The above policy must be applied to the iam role used to execute the lambda. You can find roles aws console -> lambda -> your lambda -> configuration -> permissions -> execution role

The above is the detailed content of Correct strategy for getting secrets on local go application. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:stackoverflow. If there is any infringement, please contact admin@php.cn delete

How do you use the pprof tool to analyze Go performance?Mar 21, 2025 pm 06:37 PM

The article explains how to use the pprof tool for analyzing Go performance, including enabling profiling, collecting data, and identifying common bottlenecks like CPU and memory issues.Character count: 159

How do you write unit tests in Go?Mar 21, 2025 pm 06:34 PM

The article discusses writing unit tests in Go, covering best practices, mocking techniques, and tools for efficient test management.

How do I write mock objects and stubs for testing in Go?Mar 10, 2025 pm 05:38 PM

This article demonstrates creating mocks and stubs in Go for unit testing. It emphasizes using interfaces, provides examples of mock implementations, and discusses best practices like keeping mocks focused and using assertion libraries. The articl

How can I define custom type constraints for generics in Go?Mar 10, 2025 pm 03:20 PM

This article explores Go's custom type constraints for generics. It details how interfaces define minimum type requirements for generic functions, improving type safety and code reusability. The article also discusses limitations and best practices

Explain the purpose of Go's reflect package. When would you use reflection? What are the performance implications?Mar 25, 2025 am 11:17 AM

The article discusses Go's reflect package, used for runtime manipulation of code, beneficial for serialization, generic programming, and more. It warns of performance costs like slower execution and higher memory use, advising judicious use and best

How do you use table-driven tests in Go?Mar 21, 2025 pm 06:35 PM

The article discusses using table-driven tests in Go, a method that uses a table of test cases to test functions with multiple inputs and outcomes. It highlights benefits like improved readability, reduced duplication, scalability, consistency, and a

What are the vulnerabilities of Debian OpenSSLApr 02, 2025 am 07:30 AM

OpenSSL, as an open source library widely used in secure communications, provides encryption algorithms, keys and certificate management functions. However, there are some known security vulnerabilities in its historical version, some of which are extremely harmful. This article will focus on common vulnerabilities and response measures for OpenSSL in Debian systems. DebianOpenSSL known vulnerabilities: OpenSSL has experienced several serious vulnerabilities, such as: Heart Bleeding Vulnerability (CVE-2014-0160): This vulnerability affects OpenSSL 1.0.1 to 1.0.1f and 1.0.2 to 1.0.2 beta versions. An attacker can use this vulnerability to unauthorized read sensitive information on the server, including encryption keys, etc.

How can I use tracing tools to understand the execution flow of my Go applications?Mar 10, 2025 pm 05:36 PM

This article explores using tracing tools to analyze Go application execution flow. It discusses manual and automatic instrumentation techniques, comparing tools like Jaeger, Zipkin, and OpenTelemetry, and highlighting effective data visualization

See all articles