tags:

views:

327

answers:

2
+9  Q: 

Keeping a secret key secret with Amazon Web Services

I'm playing around with using amazon web services in my personal project. I've grabbed their AWS SDK for .NET and I'm using that, but I'm a little confused.

  1. Access to the web service (in this case, SimpleDB, though I don't think that's really material to the question) is authorized via a private/public key pair.

  2. The AWS SDK for .NET API used to create a client object requires the private key:

    AWSClientFactory.CreateAmazonSimpleDBClient(publicKey, privateKey);

  3. This is a client application, so the code would be running entirely on the client.

  4. Suggesting that the client would need to have access to my private key to have access to the SimpleDB. But amazon repeatedly and emphatically states that my private key must not leave my control.

This doesn't make sense to me, so I figure I must be missing something.

Is a client-side application the wrong model for the amazon web services in general, for using their AWS SDK for .NET, or am I missing something that makes a client application perfectly reasonable? Is there a good way to work around this without creating a proxy service of my own that would authenticate clients and forward their requests to the SimpleDB?

+5  A: 

It sounds like you need a proxy web service, that handles authentication between your proxy and your users. Each user would authenticate using some credential you issue only to them. If the proxy decides a client is authorized, it can make the call to Amazon's service using your private key.

erickson  2010-02-10 20:48:32
If this really is the solution, I guess I'll be glad it's a personal project and not something that I need wide distribution on. And this way I'll have some idea about what I need to do if I want to open it up at a later date.
Greg D  2010-02-10 21:02:57
Hopefully one day Amazon will provide a method to issues temporary access keys to SimpleDB so you only need to use the proxy for the initial connect
TFD  2010-02-10 21:05:16
+2  A: 

You don't need to implement a proxy that fronts the remote (AWS) service. Just implement a simple, small, authenticated service which returns to the client the URL and headers to use when contacting AWS. Your authenticated webservice keeps the AWS secret, and only provides the signed request URL and headers to the client, which then goes and makes the actual work call using that returned information.

This way, you avoid the overhead during the AWS call of having to go through your own servers, saving latency, bandwidth, tied up sockets on your server, failure handling complexity, etc. You just take a lightweight hit up front for the client to get the proper instructions.

JSW  2010-05-13 00:44:59
I appreciate the answer. I work primarily in a desktop world, so the possibility of authenticating and providing the signed url and headers never even entered my mind.
Greg D  2010-05-13 12:38:29
If you go this route, can one still use the .NET API?
Mo Flanagan  2010-10-13 16:34:12
The answer to my own question is "No" - you have to modify the code to remote the AWSSDKUtils.HMACSign call.
Mo Flanagan  2010-10-18 18:44:14

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?