AWS .Net SDK specifies several ways to specify credentials. One of them is SDK store - http://docs.aws.amazon.com/AWSSdkDocsNET/V3/DeveloperGuide/net-dg-config-creds.html#net-dg-config-creds-sdk-store
In that same document two seemingly contradictory things are written:
"SDK Store profiles are specific to a particular user on a particular host. They cannot be copied to other hosts or other users. For this reason, SDK Store profiles cannot be used in production applications."
"The associated credentials are incorporated into the application during the build process."
IF the credentials are incorporated in the program at the build time, then why can't I use the SDK store method in production environment?
That leaves me with either storing credentials in .config files, or credentials files, or using roles.
To clarify, the documentation is stating that if you are only using the SDK store, you can't simply pick up your application and move it to any other machine while expecting it to work as-is. If you are using profile names, your application is referencing the profile name in the local SDK store (or, failing that, the credentials file used by other AWS resources like the AWS CLI).
For example, if you created a profile named dev-Amit on your personal computer and then moved to another machine in production, dev-Amit wouldn't exist there unless you had already configured the SDK store on that machine with the same profile name.
This behavior is contrary to the recommended practice of passing credentials in EC2, using temporary credentials via IAM Roles. Using this method, you can reliably pass credentials to your applications on EC2 instances by simply attaching an IAM role to the instance that has sufficient permissions to do whatever your application needs to do. This method is preferred because you don't have to login to the instance to configure anything; you simply attach the IAM role at creation time.
Further Resources:
AWS Documentation - Tutorial: Grant Access Using an IAM Role and the AWS SDK for .NET
AWS Documentation - Order in which credentials are searched for
Related
My requirement is to access some AWS APIs from a mobile application(Written in flutter). Currently how I have done it is by creating an IAM user with only the permissions required and using the access credentials of that user I sign my APIs.
What I am looking to do is instead of storing these credentials with in my app. Is there a way to use some sort of sign in mechanism to obtain some credentials and use those for signing my APIs?
Update 1:
To add more context. This is purely a hobby project and mostly for personal use. And for my use case storing credentials with in application is more than enough. Anyway I have intention to publish it as an open source project and I want to add a better way to handle this. Currently am not storing any credential in my code but am adding it as a an ENV during build process.
I think I would be able to handle this if I create my own backend to generate temporary credentials. But if there is some other standard solution out there I would like to utilize that.
Storing credentials in an application is an antipattern, and AWS provides features that prevent the need for you to do so.
Two alternatives off the top of my head.
The most obvious of these is AWS IAM Instance Profiles. These permit you to bind IAM permissions to an EC2. Any application or service on this ec2 is then permitted to perform the actions permitted by the IAM profile bound to the Instance Profile.
If you are running your application in EKS, you can leverage IRSA to bind IAM permissions to a service-account in the EKS cluster.
I assume you're running your service on EC2, and that therefore the InstanceProfile approach is easiest.
According to many advices, we should not configure IAM USER but using IAM Role instead to avoid someone managed to grab the user confidential in .aws folder.
Lets say I don't have any EC2 instances. Can I still able to perform S3 operation via AWS CLI? Says aws s3 ls
MacBook-Air:~ user$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
You are correct that, when running applications on Amazon EC2 instances or as AWS Lambda functions, an IAM role should be assigned that will provide credentials via the EC2 metadata service.
If you are not running on EC2/Lambda, then the normal practice is to use IAM User credentials that have been created specifically for your application, with least possible privilege assigned.
You should never store the IAM User credentials in an application -- there have been many cases of people accidentally saving such files into GitHub, and bad actors grab the credentials and have access to your account.
You could store the credentials in a configuration file (eg via aws configure) and keep that file outside your codebase. However, there are still risks associated with storing the credentials in a file.
A safer option is to provide the credentials via environment variables, since they can be defined through a login profile and will never be included in the application code.
I don't think you can use service roles on your personal machine.
You can however use multi-factor authentication for AWS CLI
You can use credentials on any machine not just EC2.
Follow the steps as described by the documentation for your OS.
http://docs.aws.amazon.com/cli/latest/userguide/installing.html
I'm currently using AWS S3 credentials inside my application's code in a file ignored by git, but every developer has that file so it can work with images.
I want to hide those credentials from the developers, but still have the ability to use S3 in the development environment.
What are the best practices on that?
Should I replace S3 usage to local files in the development environment?
Give each of your developers IAM accounts with their own API keys, set your application to read the API keys from environment variables rather than from a config file. When the code runs on EC2 instances, use IAM roles so that you don't need to use API keys at all. If you're using AWS SDKs it will use role credentials by default.
My use case is as follows:
I need to push some data into AWS SQS queue using JAVA SDK and by help of IAM role (not using credential provider implementation).
Is there any way to do that?
Thanks for help in advance.
It's been a while, but this is not currently the case, it is now possible to use assume role with the Java SDK with a user. You can configure credentials in your .aws/credentials file as follows:
[useraccount]
aws_access_key_id=<key>
aws_secret_access_key=<secret>
[somerole]
role_arn=<the ARN of the role you want to assume>
source_profile=useraccount
Then, when you launch, set an environment variable: AWS_PROFILE=somerole
The SDK will use the credentials defined in useraccount to call assumeRole with the role_arn you provided. You'll of course need to be sure that the user with those credentials has the permissions to assume that role.
Note that if you're not including the full Java SDK in your project (i.e. you're including just the libraries for the services you need), you also need to include the aws-java-sdk-sts library in your classpath for this to work.
It is also possible to do all of this programmatically using STSAssumeRoleSessionCredentialsProvider, but this would require you to directly configure all of the services so it might not be as convenient as the profile approach which should just work for all services.
You can use role based authentication only on EC2 Instances, ECS Containers and Lambda functions. It is not possible to use them locally or on on premise servers.
DefaultAWSCredentialsProviderChain will automatically pick the EC2 Instance Role if it can't find the credentials via any of other methods. You can also create a custom AWSCredentialsProviderChain object with only injecting a instance of InstanceProfileCredentialsProvider to it like here
AWSCredentialsProviderChain myCustomChain = new AWSCredentialsProviderChain(new InstanceProfileCredentialsProvider());
For more info: https://docs.aws.amazon.com/java-sdk/latest/developer-guide/java-dg-roles.html
I have a bunch of Amazon S3 files that I want to download from within my app. However, I don't want them to be public.
Is there a way to require a key in the URL query in order to download the file? So far, I have not found documentation on this.
What you're looking for is known as "Presigned URLS"
Basically, you use the AWS SDK to generate a temporary URL, which includes some credentials that expire after a duration that you specify, and provide that to your end user.
It depends where your app runs.
If it runs on an ec2 instance, then ec2 instance runs with a certain role specified at creation (see "IAM role" in instance details). You can either configure that role to have full access to S3 or grant that role permissions to particular files in S3.
If your app runs outside of AWS. It's slightly more complicated as you need to configure credentials to be used. Don't know what you use to write your app, so below is a link to configuring go SDK. Others must be very similar. If my memory is correct, I just configured aws cli on my dev machine and that saved credentials in the right place for my app to use. To be fair, you can use this approach on an ec2 instance as well if you want, but I find IAM role approach easier there.
Access Control List (ACL) Overview
Using an IAM Role to Grant Permissions
SDK Configuration It's for go language, but others will be very similar. See Specifying Credentials section.