1 Answer
- Newest
- Most votes
- Most comments
1
Hi Bhanu,
I am unsure why AWS KMS would be expensive for your use case. You could easily store each user's OAuth token in an encrypted DynamoDB table with KMS. I wouldn't use the AWS secrets manager in this case; that would be useful for your own system secrets.
In terms of costs, you would only have to pay for KMS $1/month for a key and then $0.03 for each 10,000 requests. And DynamoDB, you have a free tier of up to 200M requests per month.
Could you please elaborate a little bit more on your concern?
Reference:
If the answer is helpful, please click "Accept Answer" and upvote it.
Relevant content
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
Hi Ivan,
What about secrets manger in this case? Thanks for the reply. I'd like to clarify a few points:
Cost Concerns with KMS and Secrets Manager:
If we consider 1000 users, each connected to 5 apps, that's 5000 unique OAuth tokens we need to store securely. Using AWS KMS, if each token requires its own key, the cost would indeed be significant. However, I believe there might be a misunderstanding. Typically, we would use a single master key to encrypt all the tokens, not a unique key for each token. This would drastically reduce the KMS costs.
On the other hand, AWS Secrets Manager charges per secret. If we were to store each token as a separate secret, the costs could accumulate quickly, especially with a large user base and multiple apps.
OAuth at the App Level: OAuth is designed to allow third-party applications to access user-specific resources without exposing user credentials. Here's a simplified flow: User Authorization: A user decides to integrate a third-party app (e.g., Slack) within our platform. They are redirected to the app's authorization page. Granting Permission: The user logs in and grants our platform permission to access specific data or perform actions on their behalf. Receiving the Authorization Code: Post permission, the third-party app redirects the user back to our platform with an authorization code. Exchanging the Code for Tokens: We exchange this code for an access token (and optionally, a refresh token) via a server-to-server request.
Correct, you only need one KMS key to encrypt all the users tokens. Secrets manager is for another usecase, like storing database credentials, I wouldn’t recommend it in your case.
If my answer helped you please accept my answer, as it helps me and it incentives me to keep posting in this platform.