I'm running SpringBoot applications that use AWS resources from two different AWS accounts (depending on the project—each application only needs resources from one of the two AWS accounts).
I have two different profiles set up in my AWS config file (a default one and a secondary one). When I use AWS CLI, I just specify --profile=secondary and everything is happily working.
I can't seem to find any way to specify the secondary profile for a SpringBoot Application using AWS Java SDK. What are my options?
This can be achieved using ProfileCredentialsProvider(String profile) where profile is, the question's case, secondary.
Related
How in a work environment with different AWS environments say for example develop, staging and production is it best to store the AWS Access Key and Secret Key other than in the appsettings.json files in .Net Core? I know there is Secret Manager but not sure if that is the best way to store these two values. Looking for someone that may have done this specifically for production and how they handled this within their organization. Thanks for any information.
I believe that your application is running outside of AWS and that it needs to make API calls to AWS services, for example SQS. To make those API calls, your application needs AWS credentials.
Here are approaches for authenticating external applications in a machine-to-machine scenario. In your case, your client seems to need to be able to make arbitrary AWS service requests and that means using AWS signature v4 requests, signed using AWS credentials, which are ideally temporary, rotated credentials from STS rather than persistent credentials (such as IAM user credentials).
Typically, you would configure your application with a base set of IAM credentials that allow the application to assume an IAM role. That role itself, rather than the base credentials, would then give your application the permissions it needs to make SQS API calls etc.
The issue you face is how to securely store the base set of credentials. This is a problem that on-premise applications have had since day one, well before the cloud era, and there are various solutions, depending on the technology you're using.
Typically these credentials would be encrypted, not committed to code repos, and populated on the relevant, locked down application servers in some secure fashion. Some potentially useful resources:
Encrypting sections of a configuration file for an ASP.NET application
Use AWS Secrets Manager to store & read passwords in .Net Core apps
Securely store and retrieve sensitive info in .NET Core apps with Azure Key Vault
AWS Secret Manager securely stores your secrets until you retrieve them at runtime. If your going to be running your ASP.NET Core app in AWS, then AWS Secrets Manager is a great option, as it allows you to finely control the permissions associated with the AWS IAM roles running your apps.
Here are some faqs which were given from the AWS for secrets-manager service and which will clear your doubts also.
Here is the article which you can refer to for implementing secure secrets storage for .net core with AWS Secret Manager
AWS Amplify and the "Applications" feature within AWS Lambda seem to have a few things in common:
Both seem to be a wrapper around several AWS resources
Both walk you through a guided setup to provision a working AWS stack
Both set up some CI/CD pipelines for you so that Git commits trigger a build and deploy
So what are the differences between these two services, and what are some scenarios where you might want to choose one over the other?
AWS Amplify is a toolchain for front-end developers to interact with AWS resources. It provides a cli program to manage resources and (JS/Android/iOS) libraries to integrate them into your front-end applications.
It doesn't 'wrap' resources, but is merely a convenience layer to manage them (it is somewhat similar to AWS SAM); Amplify generates CloudFormation templates, stores those locally, and uses aws-cli to provision them. Note that Amplify can also be used just as a front-end library to integrate resources that are already set up.
AWS Lambda Applications is an actual AWS service, or rather a feature of AWS Lambda. It groups related resources, so they can be managed and deployed as if it was a single resource.
... what are
some scenarios where you might want to choose one over the other?
Amplify is aimed at web- and mobile developers: it allows them to manage backend resources without much backend knowledge.
It is not a matter of 'using one over the other'; they can actually be used in conjunction with each other.
I have a server using intensively AWS SNS. Of course I have multiple environments (dev, QA, production, custom, etc.)
Knowing that SNS let you register only one endpoint per token (so, AFAIK, I can't have two differents Endpoints with the same token, even if created from different PlatformApplication), how could I manage separation between my different environments?
EDIT: all our environment are in the same AWS IAM account.
SNS does allow you to subscribe multiple HTTP/HTTPS endpoints to a single Topic but it sounds like you need an SNS topic per environment so that the dev Topic dispatches requests to a dev HTTP endpoint.
The recommended AWS strategy for multiple environments in 2017 is to use multiple accounts -- one per environment. You can use consolidated billing for all of your accounts.
If you separated them then you would wind up creating an SNS topic for each environment and each would publish requests to the appropriate endpoint for that environment.
The single account solution would be to create one Topic per environment and to update your app config or environment variables to use the ARN appropriate to the environment.
If your platformApplication is android, then you can use the same GCM/FCM server key to create multiple platformApplicationARNs with different names(one per env I'd assume).
If it is iOS, you would have a dev key and a prod key for one application. I doubt you will be able to create multiple platformApplicationARNs with the same key using different names. Try it, if it works you're set!
Next, you should be able to register the same deviceToken with each of these different platformApplicationARNs.(I have tried this, it worked). This behaviour is similar to one mobile device registering to different applications for notifications.
AWS .Net SDK specifies several ways to specify credentials. One of them is SDK store - http://docs.aws.amazon.com/AWSSdkDocsNET/V3/DeveloperGuide/net-dg-config-creds.html#net-dg-config-creds-sdk-store
In that same document two seemingly contradictory things are written:
"SDK Store profiles are specific to a particular user on a particular host. They cannot be copied to other hosts or other users. For this reason, SDK Store profiles cannot be used in production applications."
"The associated credentials are incorporated into the application during the build process."
IF the credentials are incorporated in the program at the build time, then why can't I use the SDK store method in production environment?
That leaves me with either storing credentials in .config files, or credentials files, or using roles.
To clarify, the documentation is stating that if you are only using the SDK store, you can't simply pick up your application and move it to any other machine while expecting it to work as-is. If you are using profile names, your application is referencing the profile name in the local SDK store (or, failing that, the credentials file used by other AWS resources like the AWS CLI).
For example, if you created a profile named dev-Amit on your personal computer and then moved to another machine in production, dev-Amit wouldn't exist there unless you had already configured the SDK store on that machine with the same profile name.
This behavior is contrary to the recommended practice of passing credentials in EC2, using temporary credentials via IAM Roles. Using this method, you can reliably pass credentials to your applications on EC2 instances by simply attaching an IAM role to the instance that has sufficient permissions to do whatever your application needs to do. This method is preferred because you don't have to login to the instance to configure anything; you simply attach the IAM role at creation time.
Further Resources:
AWS Documentation - Tutorial: Grant Access Using an IAM Role and the AWS SDK for .NET
AWS Documentation - Order in which credentials are searched for
I have two instances of wso2 api manager running on two different servers.Both of them are referring to same UM_DB . I created a role by logging with admin credentials on one server .After that i checked for the role on other server by logging with admin credentials again.I found that there was role existing on other server but permission that i provided for that role does not exist on another server.Is that a bug with wso2 api manager or I missed something in configuration..?
You want to deploy two APIM instances in a cluster. It is better to refer the APIM clustering guide to setup it properly. There are tow things you need to understand.. when your deploying APIM in cluster
You must point both instance in to same database. There are can be three logical databases i.e UM, Registry and AM database. These three can be an one physical DB. However must pointed to same by the both instance.
You must configure the Hazelcast based clustering using axis2.xml file. This is required because, APIM uses Hazelcast based implementation to distribute the data in the caches. Sometime, In your scenario, i guess you have not configured this. Therefore permission tree has not been distributed between two nodes. Therefore lot of data that is stored in the caches for high performance. therefore please make sure to configure this properly.
I guess this would help you.