AWS use ak/sk for authentication.
I am building a server-client application using ak/sk mechanism for authentication, AES for encryption, and HMAC for signature.
What's the best practice to generate such an ak/sk pair in my own program, and satisfy ak's unique constraint at the same time? Should I generate UUID as ak, and random string for sk? Are there any relations between ak and sk?
Asked
Active
Viewed 2,160 times
0
expoter
- 1,622
- 17
- 34
-
Have a look at following code [how a signed url is calculated](https://gist.github.com/kn9ts/4b5a9942b6afbfc2534f2f14c87b9b54). As far I understand, do you want to have a similar option for your app? What / why are you trying to achieve? Often using default TLS is good enough. – gusto2 Nov 29 '19 at 23:07
3 Answers
0
Using IAM role is the best and safest way. Else if it is necessary to use to generate keypairs, you can store keys on Amazon Secrets manager with a lifecycle rule so you can rotate your keys more frequently to avoid any disaster.
matesio
- 1,584
- 17
- 31
-
I don't want to rely on aws's IAM, I want to generate ak/sk in my own program. – expoter Nov 29 '19 at 10:56
-
-
0
You should never use hard-code aws AK/SK credential specially at client side, consider using aws-cognito that is best practice. Explanation to your statements :
-->AWS use ak/sk to secure users remote access via aws-cli.
Wrong, this is for authentication not for securing remote access,
-->I am building a server-client application using ak/sk mechanism to encrypt data.
Again ak/sk not for encrypt data,
-->What's the best practice to generate such an ak/sk pair, and satisfy ak's unique constraint at the same time.
Just create an IAM user, give required permission to user, and generate ak/sk.
Jay seen
- 493
- 4
- 14
-
Sorry, I failed to express clearly. I use ak/sk mechanism for authentication, AES for encryption, and HMAC for signature. I have update my post. – expoter Nov 29 '19 at 12:40