oauth-lambda icon indicating copy to clipboard operation
oauth-lambda copied to clipboard
verified publisher icon jasny

Use API gateway rather than AWS credentials

Open jasny opened this issue 9 years ago • 0 comments

---- On Wed, 13 Jul 2016 10:46:38 +0200 Tomi Niittumäki [email protected] wrote ----

Hey,

I just found some possibly sensitive information in one of your repositories. Naturally I didn't test the credentials but they do look very similar to AWS private credentials, which should never be shared publicly.

Here's a link to the repo: https://github.com/jasny/oauth-lambda/blob/master/github-demo/index.html#L90

Just wanted to give a heads up in case they are still valid.

Br, -Tomi-

Hi Tomi,

The credentials are there intentionally. The user only has the following policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1433779310000",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:eu-west-1:593122680274:function:OAuthLambda-GitHubDemo"
            ]
        }
    ]
}

That said, it no longer necessary as I can just use the API gateway to give public access to that function.

I've added an issue to take it out.

  • Arnold

jasny avatar Jul 14 '16 09:07 jasny