问题
I'm currently using AWS Lambda to run code that I don't have control over. As such, I want to make sure that the Lambda environment is sandboxed and does not have access to sensitive data. The default environment variables passed to a Lambda function are outlined here. The ones that I'd be worried about a user getting access to are:
AWS_ACCESS_KEY
AWS_ACCESS_KEY_ID
AWS_SECRET_KEY
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_SECURITY_TOKEN
Is it possible to disable these environment variables? Currently I'm hiding these variables before executing the user's code, but it would be nice if I could flat out disable the environment variables.
Edit in response to comment:
I'm running untrusted code b/c I'm writing a game that teaches programming, and I want to use Lambda to execute the user's code. The permissions I've given to the Lambda function are minimal I think (AWSLambdaVPCAccessExecutionRole). Network access is restricted, however they could retrieve the results of their function as it's part of the game.
Edit two
I posted this question on the AWS forum b/c I don't think this is currently possible. The link is here.
回答1:
Unless something has changed recently, the only way to hide those variables is to explicitly remove them from the environment of your lambda function before invoking the user code, which I believe is what you're doing already.
Those variables are used by boto to provide access to AWS features using AWS SDK, and are what Lambda function users normally want to be in their environment. The role is whatever you configured for the function, so you could create a role that has no permissions (but then you wouldn't get any logging.) That is, if you use AWSLambdaBasicExecutionRole, the only permissions provided are logging to Cloudwatch, and you can remove even those permissions but you'll get no logging from Lambda. You could use this by default, and enable logging only when necessary for debugging.
来源:https://stackoverflow.com/questions/42727454/disable-aws-lambda-environment-variables