I'm running an express app in Elastic Beanstalk and in one route I'm using the aws-sdk to publish a notification to sns.
This works when running locally, but in the Elastic Beanstalk environment how would/could I set up the credentials 'myprofile'?
router.post('/publish', async (req, res) => {
var AWS = require('aws-sdk')
AWS.config.update({region: 'us-east-2'})
// myprofile exists locally, but how do I deal with this in the elastic beanstalk environment?
var credentials = new AWS.SharedIniFileCredentials({profile: 'myprofile'})
AWS.config.credentials = credentials
//...more stuff
})
You can use IAM instance profile to provide permissions to your ec2 instance, so when your application loads the SDK, the credentials passed will be automatically loaded.
Check this link https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles.html - what you will need is the instance profile. In order to create a instance profile go to the IAM console > Roles, then choose the service EC2 as a service that can assume this role. Then attach the policies that your application needs calling (SNS stuff).
On the beanstalk settings, under security, you will be able to set the IAM instance profile that you just created - so the instances on this environment should have the role associated with it.
Your code should look like then:
router.post('/publish', async (req, res) => {
var AWS = require('aws-sdk')
AWS.config.update({region: 'us-east-2'})
//...more stuff
})
Also check if you can require and set the region outside of the controller ;)
Related
I am using AWS Secret Manager Service to retrieve some confidential information like SMTP details or connection strings. However, to get secret value from AWS Secret Manager Service it seems like we need to pass the Access key and secret key apart from which secret we want to retrieve. So I am maintaining those values in config file.
public AwsSecretManagerService(IOptions<AwsAppSettings> settings)
{
awsAppSettings = settings.Value;
amazonSecretsManagerClient = new AmazonSecretsManagerClient
(awsAppSettings.Accesskey, awsAppSettings.SecretKey, RegionEndpoint.GetBySystemName(awsAppSettings.Region));
}
public async Task<SecretValueResponse> GetSecretValueAsync(SecretValueRequest secretValueRequest)
{
return _mapper.Map<SecretValueResponse>(await amazonSecretsManagerClient.GetSecretValueAsync(_mapper.Map<GetSecretValueRequest>(secretValueRequest)));
}
So I am thinking I am kind of defeating the whole purpose of using secret manager by maintaining the AWS credentials in app settings file. I am wondering what is the right way to do this
It is not a good practice to pass or add AWS credentials of an IAM User (access key and secret access key) in the code.
Instead, don't pass it and update your code as follows:
amazonSecretsManagerClient = new AmazonSecretsManagerClient
(RegionEndpoint.GetBySystemName(awsAppSettings.Region));
Question: Then how would it access the AWS services?
Answer: If you are going to execute your code on your local system, install and configure AWS CLI instead of passing AWS credentials via CLI or Terminal, it will use those AWS configured credentials to access the AWS services.
Reference for AWS CLI Installation: Installing the AWS CLI
Reference for AWS CLI Configuration: Configuring the AWS CLI
If you are going to execute your code on an AWS service (e.g., EC2 instance), attach an IAM role with that AWS resource (e.g., EC2 instance) having sufficient permissions, it will use that IAM role to access the AWS services.
I want to use api gateway in my client side app which was developed in react.js.I have hosted the standalone react.js app inside elastic beanstalk.I have used aws-sdk with STS service to get accesskey,secretKey etc.. from STS by using sts.assumeRole. But every time it is giving me
Uncaught (in promise) CredentialsError: Missing credentials in config
For STS service params I am using elasticbeanstalk service role
const params = {
RoleArn: 'arn:aws:iam::********:role/aws-elasticbeanstalk-
service-role',
RoleSessionName: 'AccountCredentials',
DurationSeconds: 3600,
};
const assumeRoleData = await sts.assumeRole(params).promise();
I am using create-react-app for react.js and I don't want to write any server side node.js code.Any way aws-sdk will work with Javascript so it should work alone with react.js .Please help
I have set S3 bucket policy in my S3 account via web browser
https://i.stack.imgur.com/sppyr.png
My issue is, the java code of my web app when run in my local laptop, it uploads image to S3.
final AmazonS3 s3 = new AmazonS3Client(
new AWSStaticCredentialsProvider(new BasicAWSCredentials("accessKey*",
"secretKey")));
s3.setRegion(Region.US_West.toAWSRegion());
s3.setEndpoint("s3-us-west-1.amazonaws.com");
versionId = s3.putObject(new PutObjectRequest("bucketName", name, convFile)).getVersionId();
But when I deploy my web app to Elastic Beanstalk, it doesn't successfully upload images to S3 object.
So Should I programmatically code S3 bucket policy again in my Java Code?
PS: Additional details that may be useful : Why am I able to upload to AWS S3 from my localhost, but not from my AWS Elastic BeanStalk instance?
Your S3 bucket policy is too permissive. You should delete it asap.
Instead of explicitly supply credentials to your Elastic Beanstalk app in code, you should create an IAM role that the Elastic Beanstalk app will assume. That IAM role should have an attached IAM policy that allows appropriate access to your S3 bucket, and to the objects in the bucket.
When testing on your laptop, your app does not need to have credentials in the code. Instead, your app should leverage the fact that the AWS SDK will retrieve credentials for you from the environment that the app is running in. You should use the default credential provider chain.
I am trying to configure jboss to use AWS IAM Roles for accessing S3 and SQS. All of the documentation I've seen uses static access and secret keys rather than the dynamic keys that roles allow for.
Is there any documentation on doing this?
Create an EC2 instance assigning that Role. Whatever you run any app in that instance will be able to access the AWS resources.
This way you don't need to write any code for security within the application.
Also in your code you don't need to supply any credentials when you assign the role to the EC2 instance.
In AWS there are two approaches to provide permission using AWS IAM to your code to access AWS resources such as S3 and SQS.
If your code runs in Amazon Compute Services such as EC2, Lambda it is recommended to create a IAM Role with required policies to access S3 & SQS also allowing the Compute Service (EC2, Lambda) to assume that role (Using Trust Relationships). After attaching this role, either to EC2 or Lambda, you can directly use AWS SDK to access S3 and SQS without needing any credentials or access tokens to configure for SDK.
For more information, see Using an IAM Role to Grant Permissions to
Applications Running on Amazon EC2 Instances.
If your code runs on premise or external to the Amazon infrastructure, you need to create a IAM user with required policies and also create access keys (Access Key ID & Secret Key) and initialize SDK to allow access to S3 or SQS as shown below.
var AWS = require('aws-sdk');
AWS.config.credentials = new AWS.Credentials({
accessKeyId: 'akid', secretAccessKey: 'secret'
});
I have the following AWS Javascript SDK code, to sign requests for AWS Elasticsearch:
var signer = new AWS.Signers.V4(req, 'es');
signer.addAuthorization(creds, new Date());
I need credentials (creds) for the addAuthorization() call. When running locally I do this:
var creds = AWS.config.credentials;
But this does not work on an EC2 instance running with an IAM role.
My question is how to get the credentials object to do the manual signing?
Or, if there is another way to V4 sign with running under IAM, what is it?
Have you tried this?
var creds = new AWS.EnvironmentCredentials('AWS');