1

I have a Rails application that uses the AWS Javascript SDK, I have to set up the secrets in my javascript before making a request : 

AWS.config.update({ accessKeyId: '<%= ENV["AWS_ACCESS_KEY_ID"] %>', secretAccessKey: '<%= ENV["AWS_SECRET_ACCESS_KEY"] %>' });

The problem is anyone can check these secret values using chrome console, so how do I hide these keys, while still use them in my client side?

I was thinking to fetch them with with ajax, but isn't the returned data from that ajax call also viewable on the client? or not?

Thanks

Improve this question
1
  • 2
    You can't, it's impossible. Commented Sep 29, 2016 at 19:00

2 Answers 2

Reset to default
2

Nope, it's not possible to protect your secret key on the client-side. If your code needs the key and can read it, any user can read it too by executing the same logic in the browser console, for example.

It is not clear what functionality you use from AWS SDK, but if it's file uploads, you don't need secret key on the client. You need it to sign the request, but that doesn't need to happen client-side. It's like this:

  1. user selects a file
  2. client JS requests S3 signature from your server, using access key and file info (name, type, etc.)
  3. server uses secret key to generate S3 signature and returns it to the client
  4. client JS attaches signature to S3 request and posts the file to AWS S3
  5. ...
  6. PROFIT!
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

There is no way you could have JS values on client side that could be hidden away from clients, the only way is to encrypt data on server side only and any secret data shown on client side would be encrypted and not understandable. If you want to encrypt your traffic consider using HTTPS protocol. Hope this helps.

Improve this answer

7 Comments

https only protects from eavesdropping, not the curious client.
you can protect your data by encrypting it on server side using some encryption alg of your choice , all the "secret" data by even the most secure sites is done this way since encrypted data is totally meaningless for anyone who don't have the key.
But the client-side must be able to decrypt the key, in order to use it? And so can the user.
once it can be decrypted on client side there is no escape, the client can access the data , if you want to use say some authentication token you can send the data encrypted token and even the client can see it , it is totally meaningless for the client , but the server can verify it since it owns the key
This token logic, which has its uses, is completely irrelevant to the question (which is about aws secret key).
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.