jeudi 10 novembre 2016

AWS Cognito Temporary Credentials in Cookie

I am writing an Ember app where I want to allow users to upload pdf files, and I am using AWS S3 for file storage. Because I don't want to hard code my AWS creds, I am using AWS Cognito to create temporary credentials to authenticate users to S3 when they want to upload/download files. I created an Identity Pool on AWS for the users, and have configured the associated IAM roles for authenticated and unauthenticated users (authenticated users get read only access to one of my S3 buckets). I am using my Rails backend (which uses Devise) as the authentication provider for my identity pool. Here are the steps I take to obtain the temporary credentials:

1) Get an AWS Cognito Identity Id and Token from my backend (using get_open_id_token_for_developer_identity method from Ruby AWS SDK on my backend)

2) Create a new CognitoIdentityCredentials object using the Identity Id and Token to obtain temporary credentials, and store the creds in a cookie (using js-cookie).

Code:

        var AWS = window.AWS;
        AWS.config.region = "us-west-2";
        AWS.config.credentials = new AWS.CognitoIdentityCredentials({
            IdentityPoolId: 'us-west-2:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
            IdentityId: response.identity_id,
            Logins: {
                'cognito-identity.amazonaws.com': response.token
            }
        });
        AWS.config.credentials.get(function() {
            var date = new Date(AWS.config.credentials.expireTime);
            Cookies.set("cognito_creds", { accessKeyId: AWS.config.credentials.accessKeyId, secretAccessKey: AWS.config.credentials.secretAccessKey, sessionToken: AWS.config.credentials.sessionToken }, { expires: date } );
        });

I understand that storing important information such as AWS credentials in a cookie is a big no-no, and is definitely not secure. But keep in mind, I am using HTTPS, the credentials expire after an hour, and the IAM role associated with the credentials only gives read-only access to one of my S3 buckets.

My question is: Is it worth the security risk to store these creds as cookies so that I don't have to get a token from my backend every page refresh, or does this approach leave me too vulnerable?

Note: I am a noob to web dev, so any constructive (!!) criticism regarding my design is very much appreciated. Thanks!




Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)