use env vars over hardcoded values

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: python-security/aws-boto-credentials

Language: Python

Severity: Notice

Category: Security

CWE: 798

Description

This rule makes sure that the boto3 library use the environments variables to authenticate instead of using hardcoded credentials. This rule checks for the boto3.client and boto3.Session calls. It addresses the CWE-798 rule - uses of hardcoded credentials in code.

Learn More

Non-Compliant Code Examples

from boto3 import client

cli = client(
    's3',
    aws_access_key_id="AGPAFOOBAR",
    aws_secret_access_key="bar",
    aws_session_token=SESSION_TOKEN
)

import boto3 

client = boto3.client(
    's3',
    aws_access_key_id="AGPAFOOBAR",
    aws_secret_access_key="bar",
    aws_session_token=SESSION_TOKEN
)

import boto3

client = boto3.Session(
    's3',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token="foobar" # hard coded credential
)

Compliant Code Examples

import boto3

client = boto3.Session(
    's3',
    aws_session_token=SESSION_TOKEN
)

import boto3

client = boto3.client(
    's3',
    aws_session_token=SESSION_TOKEN
)

client = boto3.client(
    's3',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token=SESSION_TOKEN
)