On Thu, Dec 22, 2022 at 8:42 AM Marcin Niemyjski via MapServer-users < [email protected]> wrote:
> > is it safer than keeping credentials in mapfile or is it just another way > of providing them to mapserver? > > Please tell me. Is keeping credentials in mapfile optimal and safe way? > > I would try to avoid ever using AWS credentials directly as environment variables. Instead, let GDAL use properly configured credentials from ~/.aws/config or when running on an EC2 instance, GDAL can fetch instance profile credentials. If AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are accidentally leaked, an attacker could get whatever access is allowed through those keys. In cases where those keys allow IAM access, bad things can happen. Most tooling (the AWS CLI, AWS SDKs, GDAL) should allow for authentication without ever having to copy/paste AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY directly. See the section starting "Several authentication methods are possible" from https://gdal.org/user/virtual_file_systems.html#vsis3-aws-s3-files Cheers, Pete
_______________________________________________ MapServer-users mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/mapserver-users
