I want to send SMS using AWS Simple Notification Service from EC2 containers in AWS. Is it possible to send the SMS without using Secret Key and Access Key.
In IAM any permissions can be added ?
Thanks in advance.
I will try to clarify the previous answer.
It is possible to assign a role to a running EC2 instance with required permissions (e. g. sending a message through SNS)
The client running on the instance doesn't need to provide any explicit AWS credentials (under the hood the SDK implement will acquire and use temporary credentials from the metadata service)
Try assigning required action permission from below list to the IAM role attached to EC2 instance
https://docs.aws.amazon.com/IAM/latest/UserGuide/list_sns.html
Related
I want to send emails via an AWS account using SES in my SpringBoot application. But the issue is that I do not have the permission to generate access keys in that account. Neither can I create IAM users. I can only create and use IAM roles. But everywhere I looked mentions ways that need the access keys to be able to send emails programmatically, which I don't have. Is there any way around this?
To use the Java SES API, you do require an IAM User that has permission to use the SES Service. Then you require the access key and secret key for this IAM User. Without these values, you cannot successfully make an AWS Service call using the AWS SDK for Java.
This is mentioned in the AWS SDK for Java Developer Guide here:
Get started with the AWS SDK for Java 2.x
Update:
As you do not have the access key and secret key, you need to create a new IAM User. When you create a new IAM User, you will be given new access key and secret key values. Write these values down and use those. Also - make sure you IAM User has permission to use Amazon SES. See Create an IAM user.
lets say I have a on-premise application that needs to access various AWS services such as S3, Cloudwatch etc. What is the correct way to handle this authentication? I have read recommendations to create a new iam role and then distribute the AWS keys on the server that the application runs. But wouldn't this be very bad practice in case the keys gets stolen or exposed in some way? It would also be more work to rotate credentials for example. Is it possible to assign roles in some other ways or this is the correct way to do it? Isn't it better to assign roles or that isn't possible when not running the app in AWS?
Creat an IAM user with “Programmatic Access” only, which will provide you with a key and secret pair.
As a general rule, your application can use one set of credentials to get another, more privileged set of credentials. The app must be able to authenticate somehow so it needs some basic form of service account credentials to start with.
One way you can do this is to create an IAM user with minimal privileges. This IAM user is able to assume a specific IAM service role, but nothing else. That service role actually confers permissions to interact with S3, CloudWatch etc. Your application is configured with, or somehow securely retrieves, the credentials associated with the IAM user. Your application then uses these to call STS and assume the IAM service role, getting back short-lived STS credentials (access key, secret key, and session token). You should leverage the additional 'external ID' with the IAM role, as one more security factor.
Your application is also responsible for getting a new set of credentials before the existing set expires. You can do that in a number of ways, for example by using new STS credentials for every single request you make (so they never expire) or simply paying attention to the credentials expiration time and refreshing prior.
Also, read Temporary Credentials for Users in Untrusted Environments.
If your application is running on an Amazon EC2 instance and it is the only application on that instance, then:
Create an IAM Role
Assign the appropriate permissions to the Role
Assign the IAM Role to the EC2 instance
Any software running on the instance will automatically have access to credentials to access AWS. These credentials automatically rotate every 6 hours.
If you are not running on an EC2 instance:
Create an IAM User
Assign the appropriate permissions to the User
Generate credentials for the User (Access Key, Secret Key) and store them in a credentials file on the computer being used by the application
Any software running on the instance will automatically have access to these credentials to access AWS.
This page shows how to send an email using SES. The example works by reading the credentials from ~/.aws/credentials, which are the root (yet "shared"??) credentials.
The documentation advises in various places against using the root credentials.
Acquiring temporary credentials
using roles is mentioned as an option, yet assume_role() is not defined for SES client objects.
How do I send an email through SES with temporary SES-specific credentials?
Update
The context for my question is an application running on an EC2 instance.
There are a few pieces to this.
First you need an IAM policy. You can use one of the built-in policies, such as AmazonSESFullAccess or you can create your own. The holder of a particular policy will be able to access the resources and actions defined in the policy. You can create this policy manually, or work through the AWS console and it will walk you through it. IAM --> Policies --> Create Policy
Secondly, you will need a role. Also, easily done in the console. IAM --> Roles --> Create role. Trusted entity is AWS service. Highlight EC2. In the next screen, select the policy you want to associate with this role. This is the policy you created above. If your EC2 already has a role, then you can add the IAM policy to this role. Assigning an IAM policy to a role, is what they refer to as a trust policy.
Now any code that runs on your EC2 instance will be able to send messages to your SES service. The EC2 assumes the role assigned to it. And the SES policy is defined for that role. This will allow EC2 to get temporary credentials (behind the scenes).
The back story is as follows. Any API call to an AWS service needs to have a key and secret. When you make API calls from your local computer, you may use your personal key and secret (or even root ones). When you need to make API calls from another service, you do not have that key and secret. It would not be secure or practical to store the credentials on an EC2. Or even worse, in an S3 bucket. That is why AWS came up with the Role concept. Roles can request temporary credentials from an internal service called Simple Token Service (STS). A role is attached to an EC2 instance for example. And if the right policy is attached to that role, the EC2 instance can request to get temporary credentials to make an API call to another service. All of this happens behind the scenes.
Two options...
You could create IAM User credentials with the appropriate permissions and put them in the ~./aws/credentials file. Then your application will find them and use them to connect with Amazon SES.
Or, your application could use a set of IAM User credentials to call assume_role() (which is an IAM command). This will return a set of temporary credentials that could be used with Amazon SES. However, if you are going to provide a set of credentials that will be used to call assume_role(), then you may as well just use those credentials directly with Amazon SES.
An IAM User can be used for people OR applications.
I need to create Java REST API(not with SDK) to launch a AWS EC2 instance.
First of all I need to Authenticate with the AWS API server by using Signature and Accesskey. I tried using the AWS documentations but I am facing the below error.
<Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message>
Could someone suggest me the steps to implement authentication with API and launching the instance in AWS. Also share if any existing GitHub code for the above requirement.
You have to use,
http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/ec2/AmazonEC2Client.html
There are ways you can gain access.
Create Access Key and Secret with IAM and pass them to java client.
Or you can create a role for an EC2 instance and assign the role to your Ec2 instance. Any code run from that EC2 instance will have access to the role mentioned.
Either with IAM Access Key or EC2 Instance Role, you need to have EC2 Policy with EC2FullAccess to access the API.
I am exploring amazon IAM Roles. I want to know how can we apply IAM roles to an ec2 instance to access an application.
Any lead is highly appreciated.
Thanks
You can attach a Role to an Instance to provide this instance with specific permissions to use AWS API.
For example : You deploy a Java application on Tomcat and you want your application to use DynamoDB or S3 ... you need an ACCESS KEY and SECRET KEY with proper permission. How would your application get these ? A configuration file ? Burned into the AMI ? Stored in a database ? ... none of these are secure and manageable at large scale.
This is where Role kicks in.
you define a role in IAM and attach a couple of permission to it.
when you create the instance, you attach the role (you can not do that at a later time !)
from the instance, a private web service will give access to temporary ACCESS KEY and SECRET KEY, limited to the permissions specified in the role.
The best part is that AWS SDK are knowing about that and can dynamically and automatically get the keys for you.
Check out the doc for more details : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html