We deployed our flask application to AWS lambda and would like to restrict to access to it to:
- Our development team (some external IP for everyone)
- Wordpress server (static IP)
- Bitbucket (for automatic deploys to lambda)
- Google oAuth2 (callback function to lambda)
The first two are fairly easy to accomplish by whitelisting the respective IP in the AWS Gateway or in flask itself. However, the latter two are a bit more tricky since there's no static IP for the bitbucket pipeline nor when receiving the oauth2 callback from Google.
I've looked at the referer in the Http header to identify Google's callback which works but it can be spoofed easily...
Is there a sophisticated way of locking the app down to the above sources?
Here is the version I've got so far
def whitelist_handler():
whitelist_ips = os.getenv('WHITELIST_IPS')
allow_access = True
if whitelist_ips:
whitelist_ips = whitelist_ips.split(',')
referer = request.headers.get('Referer', '')
whitelist_domains = ['https://accounts.google.com/signin/']
if request.remote_addr not in whitelist_ips and not any([referer.startswith(domain) for domain in whitelist_domains]):
allow_access = False
if not allow_access:
abort(401)
from Restricting access to AWS lambda flask application
No comments:
Post a Comment