My requirement is to access some AWS APIs from a mobile application(Written in flutter). Currently how I have done it is by creating an IAM user with only the permissions required and using the access credentials of that user I sign my APIs.
What I am looking to do is instead of storing these credentials with in my app. Is there a way to use some sort of sign in mechanism to obtain some credentials and use those for signing my APIs?
Update 1:
To add more context. This is purely a hobby project and mostly for personal use. And for my use case storing credentials with in application is more than enough. Anyway I have intention to publish it as an open source project and I want to add a better way to handle this. Currently am not storing any credential in my code but am adding it as a an ENV during build process.
I think I would be able to handle this if I create my own backend to generate temporary credentials. But if there is some other standard solution out there I would like to utilize that.
Storing credentials in an application is an antipattern, and AWS provides features that prevent the need for you to do so.
Two alternatives off the top of my head.
The most obvious of these is AWS IAM Instance Profiles. These permit you to bind IAM permissions to an EC2. Any application or service on this ec2 is then permitted to perform the actions permitted by the IAM profile bound to the Instance Profile.
If you are running your application in EKS, you can leverage IRSA to bind IAM permissions to a service-account in the EKS cluster.
I assume you're running your service on EC2, and that therefore the InstanceProfile approach is easiest.
Related
I am planning to use DynamoDB for the first time for my project. I initially made connection to DynamoDB from my Java application using the IAM User secret keys. But, then decided to add permissions to the IAM Role of my server, where the application runs.
Am doing it right? What's the best practice for this?
And if IAM Role is the right way to go, how do I handle applications connecting from my AWS Workspace ( my dev environment ), can I add IAM Role for that too?
IAM Role is the correct way to go. You create a role following the least permissions privilege. This means that you assign to the role only the absolutely necessary permissions. In your case the role should only have access to specific DynamoDB Tables and Indexes.
In EC2, lambda functions and in general in AWS environment you assign this role. The service you are using, will assume this role and be able to access DynamoDB. No need to create access keys.
For your local DEV environment (outside of AWS), you should create a user, assign the role you've created and create a Key Id and a Secret. This way your local environment will only have access to the needed resources.
If you also need your personal AWS credentials in a local machine, you can use profiles to manage them.
Handling creds when using the AWS SDK for Java is explained in the AWS Java Developer Guide in these topics:
Get started with the SDK for Java
Using credentials
This guide explains best practices.
We're developing an ASP.NET Core web application that will be running on-premises in a customer environment, and that application needs access to certain resources in our AWS account. Because this crosses an organizational boundary, we're creating an IAM Role in our AWS account and granting the customer access to assume that role from their account.
I believe the way this must work is that the ASP.NET Core application has "permanent" credentials to the customer's AWS account, and then obtains temporary credentials for the IAM Role in our account in order to do work. However, the application needs to do most of its work in an IHostedService/BackgroundService, which is a singleton running for the duration of the application lifetime, so if we use the standard dependency injection, we'll have a single long-lived instance of a given AWS service client. Does anyone know if the AWS SDK has any ability to continually re-obtain temporary credentials for an IAM Role? If not, I assume we'll have to stop obtaining the service clients via DI and keep periodically re-creating them ourselves to refresh the credentials.
I believe the way this must work is that the ASP.NET Core application has "permanent" credentials to the customer's AWS account, and then obtains temporary credentials for the IAM Role in our account in order to do work. However, the application needs to do most of its work in an
From the usage document, SDK's AssumeRole function just make a request to get temporary credential as simple strings. You must input these credential yourself to any object/service client that you want to use that specific credential returned from AssumeRoleRequest
Which mean there is no built-in auto-refresh that suits your needs
You may want to look into awsume and the AutoAwsume plugin for it.
This is something that can be used to auto-refresh temporary IAM role credentials on a machine.
A similar solution was used by developers in a former project of mine as a security best practice to avoid giving out long-lived credentials.
My use case is as follows:
I need to push some data into AWS SQS queue using JAVA SDK and by help of IAM role (not using credential provider implementation).
Is there any way to do that?
Thanks for help in advance.
It's been a while, but this is not currently the case, it is now possible to use assume role with the Java SDK with a user. You can configure credentials in your .aws/credentials file as follows:
[useraccount]
aws_access_key_id=<key>
aws_secret_access_key=<secret>
[somerole]
role_arn=<the ARN of the role you want to assume>
source_profile=useraccount
Then, when you launch, set an environment variable: AWS_PROFILE=somerole
The SDK will use the credentials defined in useraccount to call assumeRole with the role_arn you provided. You'll of course need to be sure that the user with those credentials has the permissions to assume that role.
Note that if you're not including the full Java SDK in your project (i.e. you're including just the libraries for the services you need), you also need to include the aws-java-sdk-sts library in your classpath for this to work.
It is also possible to do all of this programmatically using STSAssumeRoleSessionCredentialsProvider, but this would require you to directly configure all of the services so it might not be as convenient as the profile approach which should just work for all services.
You can use role based authentication only on EC2 Instances, ECS Containers and Lambda functions. It is not possible to use them locally or on on premise servers.
DefaultAWSCredentialsProviderChain will automatically pick the EC2 Instance Role if it can't find the credentials via any of other methods. You can also create a custom AWSCredentialsProviderChain object with only injecting a instance of InstanceProfileCredentialsProvider to it like here
AWSCredentialsProviderChain myCustomChain = new AWSCredentialsProviderChain(new InstanceProfileCredentialsProvider());
For more info: https://docs.aws.amazon.com/java-sdk/latest/developer-guide/java-dg-roles.html
AWS .Net SDK specifies several ways to specify credentials. One of them is SDK store - http://docs.aws.amazon.com/AWSSdkDocsNET/V3/DeveloperGuide/net-dg-config-creds.html#net-dg-config-creds-sdk-store
In that same document two seemingly contradictory things are written:
"SDK Store profiles are specific to a particular user on a particular host. They cannot be copied to other hosts or other users. For this reason, SDK Store profiles cannot be used in production applications."
"The associated credentials are incorporated into the application during the build process."
IF the credentials are incorporated in the program at the build time, then why can't I use the SDK store method in production environment?
That leaves me with either storing credentials in .config files, or credentials files, or using roles.
To clarify, the documentation is stating that if you are only using the SDK store, you can't simply pick up your application and move it to any other machine while expecting it to work as-is. If you are using profile names, your application is referencing the profile name in the local SDK store (or, failing that, the credentials file used by other AWS resources like the AWS CLI).
For example, if you created a profile named dev-Amit on your personal computer and then moved to another machine in production, dev-Amit wouldn't exist there unless you had already configured the SDK store on that machine with the same profile name.
This behavior is contrary to the recommended practice of passing credentials in EC2, using temporary credentials via IAM Roles. Using this method, you can reliably pass credentials to your applications on EC2 instances by simply attaching an IAM role to the instance that has sufficient permissions to do whatever your application needs to do. This method is preferred because you don't have to login to the instance to configure anything; you simply attach the IAM role at creation time.
Further Resources:
AWS Documentation - Tutorial: Grant Access Using an IAM Role and the AWS SDK for .NET
AWS Documentation - Order in which credentials are searched for
Can AWS IAM be used to control access for custom applications? I heavily rely on IAM for controlling access to AWS resources. I have a custom Python app that I would like to extend to work with IAM, but I can't find any references to this being done by anyone.
I've considered the same thing, and I think it's theoretically possible. The main issue is that there's no call available in IAM that determines if a particular call is allowed (SimulateCustomPolicy may work, but that doesn't seem to be its purpose so I'm not sure it would have the throughput to handle high volumes).
As a result, you'd have to write your own IAM policy evaluator for those custom calls. I don't think that's inherently a bad thing, since it's also something you'd have to build for any other policy-based system. And the IAM policy format seems reasonable enough to be used.
I guess the short answer is, yes, it's possible, with some work. And if you do it, please open source the code so the rest of us can use it.
The only way you can manage users, create roles and groups is if you have admin access. Power users can do everything but that.
You can create a group with all the privileges you want to grant and create a user with policies attached from the group created. Create a user strictly with only programmatic access, so the app can connect with access key ID and secure key from AWS CLI.
Normally, IAM can be used to create and manage AWS users and groups, and permissions to allow and deny their access to AWS resources.
If your Python app is somehow consuming or interfacing to any AWS resource as S3, then probably you might want to look into this.
connect-on-premise-python-application-with-aws
The Python application can be upload to an S3 bucket. The application is running on a server inside the on-premise data center of a company. The focus of this tutorial is on the connection made to AWS.
Consider placing API Gateway in front of your Python app's routes.
Then you could control access using IAM.