Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security best practices for Amplify app in a public repo
See original GitHub issueThis is a question about the security aspects of a public software repo connected to Amplify via the console as part of a CI build/deploy process.
Setup
- Init app, using amplify init
- provision resources (e.g. api, storage, etc.) via amplify-cli
- connect app (e.g. git repo) using the AWS Amplify console
- git push, publishing the app
In brief, in order to get a build to work for something like the above, one needs to edit the .gitignore file to allow for the team-provider-info.json file to be checked in, rather than omitted (default).
Taking a look at this file, there is some information that could be potentially exploited.
{
"beta": {
"awscloudformation": {
"AuthRoleName": "MY_APPNAME_ENV-20190625175625-authRole",
"UnauthRoleArn": "arn:aws:iam::MY_AWS_ACCOUNT_NUMBER:role/MY_APPNAME_ENV-20190625175XXX-unauthRole",
"AuthRoleArn": "arn:aws:iam::MY_AWS_ACCOUNT_NUMBER:role/MY_APPNAME_ENV-20190625175XXX-authRole",
"Region": "MY_REGION",
"DeploymentBucketName": "MY_APPNAME_ENV-20190625175XXX-deployment",
"UnauthRoleName": "MY_APPNAME_ENV-20190625175XXX-unauthRole",
"StackName": "MY_APPNAME_ENV-20190625175XXX",
"StackId": "arn:aws:cloudformation:MY_REGION:MY_AWS_ACCOUNT_NUMBER:stack/MYAPPNAME_ENV-20190625875XXX/e2065420-9737-11e9-9074-0299cad2cdb0"
},
"categories": {
"auth": {
"MYAPPNAME268422e5": {}
}
}
}
}
The stuff IN_CAPS above is where what I see as potentially sensitive information in the wrong hands.
While I know that this particular app is locked down using Cognito authorization (I don’t allow users to sign themselves up) and the IAM roles are only being used for this app and are pretty much locked down, I’m curious as to best practices for publishing this type of information in a public repo.
This only came up recently, as a potential colleague of mine asked me to share a repo, and it made me scratch my head.
I do realize that I’m being a bit paranoid, but can you ever be too paranoid with regards to security these days?
Any advice on this would be appreciated.
Issue Analytics
- State:
- Created 4 years ago
- Comments:15 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Another note on this long closed thread, is that once you start working with Cognito federatedSignIn, your third party secrets are put right into team-provider-info.json.
So, unless you’re working in a private repo, best exclude this file.
FYI: I’ve salted the below values with dummy chars.
This issue has been automatically locked since there hasn’t been any recent activity after it was closed. Please open a new issue for related bugs.
Looking for a help forum? We recommend joining the Amplify Community Discord server
*-helpchannels for those types of questions.