Correct strategy for getting secrets on local go application

php editor Banana brings you an article about the correct strategy for obtaining secrets for local Go applications. In modern application development, protecting the security of sensitive information is crucial. This article will share some effective strategies to help developers correctly obtain and use confidential information in native Go applications to ensure data confidentiality and integrity. Whether it's database passwords, API keys, or other sensitive information, proper handling and storage is key to keeping your application secure. Let’s dive into how to handle confidential information securely!

Question content

Playing a small project on aws:

• golang application
• rds/mysql database
• Secret Manager
• api gateway and lambda

I'm running the go application locally to verify interaction with the database, but I can't get it to work with the secret manager.

Use this sample code:

func getcreds() {
    config, err := config.loaddefaultconfig(context.todo(), config.withregion(region))
    if err != nil {
        log.fatal(err)
    }

    svc := secretsmanager.newfromconfig(config)
    input := &secretsmanager.getsecretvalueinput{
        secretid:     aws.string(secretname),
        versionstage: aws.string("awscurrent"),
    }

    result, err := svc.getsecretvalue(context.todo(), input)
    if err != nil {
        log.fatal(err.error())
    }

    var secretstring string = *result.secretstring
    log.printf("pwd: %s", secretstring)
}

I understand

operation error secrets manager: getsecretvalue, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no ec2 imds role found, operation error ec2imds

If I understand correctly, I need to add permissions to the user/policy. But where to add this? In the iam console? Or the secret manager console?

What should it be?

{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Principal": {"AWS": "<what to add here>"},
            "Resource": "<and here>"
        }
    ]
}

Workaround

go The application cannot find the credentials to use the aws api.

According to (Configuration Credentials) you can use this code to automatically use ~/.aws/config as your local credentials

sess := session.must(session.newsessionwithoptions(session.options{
    sharedconfigstate: session.sharedconfigenable,
}))

If you provide custom configuration, you must provide credentials. There are other methods, choose the one that works for you. aws proposed the above method.

This includes running with your user. For aws execution, you need to grant the lambda function access to the key:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c"
            ]
        }
}

The above policy must be applied to the iam role used to execute the lambda. You can find roles aws console -> lambda -> your lambda -> configuration -> permissions -> execution role

The above is the detailed content of Correct strategy for getting secrets on local go application. For more information, please follow other related articles on the PHP Chinese website!