[MapServer-users] security of S3 credentials in Mapfile
Peter Schmitt
pschmitt at gmail.com
Thu Dec 22 12:29:21 PST 2022
On Thu, Dec 22, 2022 at 8:42 AM Marcin Niemyjski via MapServer-users <
mapserver-users at lists.osgeo.org> wrote:
>
> is it safer than keeping credentials in mapfile or is it just another way
> of providing them to mapserver?
>
> Please tell me. Is keeping credentials in mapfile optimal and safe way?
>
>
I would try to avoid ever using AWS credentials directly as environment
variables. Instead, let GDAL use properly configured credentials from
~/.aws/config or when running on an EC2 instance, GDAL can fetch instance
profile credentials. If AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are
accidentally leaked, an attacker could get whatever access is allowed
through those keys. In cases where those keys allow IAM access, bad things
can happen. Most tooling (the AWS CLI, AWS SDKs, GDAL) should allow for
authentication without ever having to copy/paste AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY directly. See the section starting "Several
authentication methods are possible" from
https://gdal.org/user/virtual_file_systems.html#vsis3-aws-s3-files
Cheers,
Pete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-users/attachments/20221222/407effd2/attachment.htm>
More information about the MapServer-users
mailing list