I'm trying to create a botocore session (that does not use my local AWS credentials on ~/.aws/credentials). In other words, I want to create a "burner AWS account". With that burner credentials/session, I want to setup an STS client and with that client, assume a role in order to access a DynamoDB database. Can someone provide some example code which accomplishes exactly this?
Because if I want my system to go into production environment, I CANNOT store the AWS credentials on Github because AWS will scan for it. I'm trying to implement a workaround such that we don't have to store ~/.aws/credentials file on Github.
The running a task in Amazon ECS, simply assign an IAM Role to the task.
Amazon ECS will then generate temporary credentials for that IAM Role. Any code that uses an AWS SDK (such as boto3 for Python) knows how to access those credentials via the metadata service.
The result is that your code using boto3 will automatically receive credentials that have the permissions associated with the IAM Role assigned to the task.
See: IAM roles for tasks - Amazon Elastic Container Service
Related
We currently have 2 AWS accounts that we use. For most of the stuff we want to use the AWS account that our web app is hosted on in an EC2 instance so this works fine:
services.AddDefaultAWSOptions(this.Configuration.GetAWSOptions());
services.AddAWSService<IAmazonSQS>();
services.AddAWSService<IAmazonSimpleSystemsManagement>();
However, I want to access EC2 instances in another AWS account. I've configured it to work locally using credentials and from following this guide (where it mentions about using multiple services): https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/net-dg-config-netcore.html
services.AddDefaultAWSOptions(this.Configuration.GetAWSOptions());
services.AddAWSService<IAmazonSQS>();
services.AddAWSService<IAmazonSimpleSystemsManagement>();
if (this.WebHostEnvironment.IsDevelopment())
{
// This works fine locally, but I don't want to use credential file in production
var other = this.Configuration.GetAWSOptions("other");
services.AddAWSService<IAmazonEC2>(other);
}
else
{
// How do I register other here without putting a credential file on my ec2 instance?
services.AddAWSService<IAmazonEC2>();
}
I'm not sure how to register IAmazonEC2 to use my other account. I don't want to put a credential file on my instance which is how I get it working locally but it doesn't seem right to me on production servers.
I have configured an IAM role that has access to my other account and given it to my EC2 instance. But how do I translate that IAM role to a profile to use where I am registering IAmazonEC2 above?
Any help appreciated. Thanks
There are really two ways to do it...
Option 1: Use an IAM Role
Let's say that the Amazon EC2 instance is running in Account-A and it now wants to query information about Account-B. You could:
Create an IAM Role in Account-B, with a trust policy that trusts the IAM Role being used by the EC2 instance in Account-A
Your code running on the EC2 instance in Account-A can call AssumeRole() (using the normal credentials from Account-A). This will return a set of temporary credentials.
Use those temporary credentials to make API calls to Account-B
Option 2: Use credentials from Account-B
Alternatively, give your program a set of IAM User credentials from Account-B. These could be stored in AWS Systems Manager Parameter Store - AWS Systems Manager or AWS Secrets Manager, and retrieved by using the normal credentials assigned to the EC2 instance in Account-A.
I'm trying to use AWS cli commands inside the container.
I have given policy within ECS cluster instance but it seems the container comes up with error as it tries to call AWS CLI command inside the container as an entrypoint when it boots and fails.
My IAM role with Instance Profile allows to do KMS get and decrypt which is what I need for the AWS CLI operations
Is there a way to pass credentials like instance profile inside ECS task container?
To pass a role to your caontainer(s) in a task you can use IAM Roles for Tasks:
With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances.
I'm looking for an example of how to assume a role from within a running application within ECS.
I have a role setup, and I've added the roleARN to the task definition, using the setup here: https://docs.aws.amazon.com/en_us/AmazonECS/latest/developerguide/task-iam-roles.html
Can I then assume the role from the application logic as usual? Or is there something special required?
I have this setup working, but with a IAM User which has a Secret Key and Access Key used as credentials within my application. Would switching this auth to the assume role be possible with the setup above?
The AWS SDK and CLI will automatically handle using the credentials from the assigned IAM task role.
Note that when you specify an IAM role for a task, the AWS CLI or other SDKs in the containers for that task use the AWS credentials provided by the task role exclusively and they no longer inherit any IAM permissions from the container instance.
I want a run a python boto3 scrip from my local machine using Pycharm. I am having config file setup in my machine that contains different roles based on the accounts. Say for example I want to execute the scrip using dev-power user that is included in the config file. But I am getting the below error:
"botocore.exceptions.NoCredentialsError: Unable to locate credentials"
Could you please let me know the process by which I can do this from local IDE?
You cannot use IAM Role to access AWS services from your development environment. An IAM Role can only be attached to an IAM User or an AWS service and cannot be used for programmatic access.
For programmatic access to different AWS services you will need to create an IAM User which will have access to required services or has a role attached to it with specific policies.
Reference :
AWS IAM Roles
AWS IAM Users
IAM User provides "access-key" and "secrete-key" which can be configured on your machine to access the services from your development environment.
Reference :
AWS Access Credentials
Setting up your AWS credentials
I am trying to configure jboss to use AWS IAM Roles for accessing S3 and SQS. All of the documentation I've seen uses static access and secret keys rather than the dynamic keys that roles allow for.
Is there any documentation on doing this?
Create an EC2 instance assigning that Role. Whatever you run any app in that instance will be able to access the AWS resources.
This way you don't need to write any code for security within the application.
Also in your code you don't need to supply any credentials when you assign the role to the EC2 instance.
In AWS there are two approaches to provide permission using AWS IAM to your code to access AWS resources such as S3 and SQS.
If your code runs in Amazon Compute Services such as EC2, Lambda it is recommended to create a IAM Role with required policies to access S3 & SQS also allowing the Compute Service (EC2, Lambda) to assume that role (Using Trust Relationships). After attaching this role, either to EC2 or Lambda, you can directly use AWS SDK to access S3 and SQS without needing any credentials or access tokens to configure for SDK.
For more information, see Using an IAM Role to Grant Permissions to
Applications Running on Amazon EC2 Instances.
If your code runs on premise or external to the Amazon infrastructure, you need to create a IAM user with required policies and also create access keys (Access Key ID & Secret Key) and initialize SDK to allow access to S3 or SQS as shown below.
var AWS = require('aws-sdk');
AWS.config.credentials = new AWS.Credentials({
accessKeyId: 'akid', secretAccessKey: 'secret'
});