Find alternative to storing the cognito client secret as a String parameter #76
Labels
application-feedback
Bugs or anything else to improve the sample Todo application
documentation
Improvements or additions to documentation
Comments
|
Thanks for bringing this up. The rationale behind the decision to use a plaintext string in this example is explained in the section "A Note on Secure Parameters" in the chapter on "Building User Registration and Login with Amazon Cognito". That section also lists a few options and alternatives for securely storing and retrieving parameters by using the AWS Secrets Manager. See the chapter on "Connecting to a Database with Amazon RDS" for an example of how to use the AWS Secrets Manager. |
|
Thanks @BjoernKW -- I'll dig a bit deeper into how to go with the Spring Cloud AWS Secrets Manager Integration. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's going wrong and not working?
Currently when the Cognito stack is deployed, the client secret is stored as a string parameter:
stratospheric/cdk/src/main/java/dev/stratospheric/todoapp/cdk/CognitoStack.java
Line 147 in 7af1161
This might be a security issue!
I'm aware it's not so straightforward (probably not an option at all) to store a given secret (a value itself) as a Secret using AWS SSM, and there has been some discussion about it (see aws/aws-cdk#5810) but I feel there must be at least a workaround to this current approach, which seems insecure to me.
Expected outcome
A possible solution I can think of right now (I haven't tested it though) is to not store the secret value at all, and have this method (the one to retrieve the secret value) called by whatever code needs it at the very same moment the secret value is needed.
The text was updated successfully, but these errors were encountered: