I recently had a developer create a web application for me which will essentially allow users to access details from their seller account from my website.
However after reviewing the code (below) I saw this in an amazon-config.php file. Note: I have removed my details in the below.
$store[SellerID] = 'The users store ID';
$store[Marketplace] = 'ATVPDKIKX0DER';
$store[AccessKey] = 'My Access Key';
$store[SecretKey] = 'My Secret Access Key';
$store[AuthToken] = 'The users MWS Auth token';
My concern is that using this code I have my access key and secret access key available in plain text in a config file on a webserver (http://www.example/includes/amazon-config.php). It's my understanding that if someone was to get the information in this file, then they could do almost anything to my Amazon account.
Is this the best way of securely accessing the Amazon MWS API from my web application? Or is there a more secure way that doesn't involve adding my details in plain text?
Any examples of better ways of doing it would be appreciated. I have looked online, and have read things about IAM user keys, but that seems to only reference the AWS API, not MWS (not sure how interrelated they are). I've also read that you should never embed keys directly into the code.
Thanks for any help you can provide.
Just a couple of points to consider .. 1. I agree with either placing them a level up or or using a database table but think the latter is the best since I think you should be using one anyway with a list of approved users SellerIds.
Worst case a new set of keys could be generated by MWS Support
I wouldn't hardcode in the Marketplace ... The US Marketplace can be part of a Unified NA Account and users might need to access CA or MX also.