Monday, April 4, 2022

Getting credentials from AWS

 There are various ways to get the credentials from AWS:

I have been using AWS SDK.NET and here is the code to get credentials using IAM role. To run this code, make sure you are running this application on EC2 instance. 


     private async Task<Stream> GetS3BucketFileIAM(string filepath)

        {

            var credentials = FetchCredentials();


            var request = new GetObjectRequest

            {

                BucketName = _bucketName,

                Key = filepath

            };


            var config = new AmazonS3Config

            {

                RegionEndpoint = RegionEndpoint.GetBySystemName(_regionName)

            };


            var s3Client = new AmazonS3Client(credentials.AccessKey, credentials.SecretKey, credentials.Token, config);


            var response = await s3Client.GetObjectAsync(request);


            return response.ResponseStream;

        }


        private ImmutableCredentials FetchCredentials()

        {

            var securityCredentials = EC2InstanceMetadata.IAMSecurityCredentials;

            if (securityCredentials == null)

                throw new AmazonServiceException("Unable to get IAM security credentials from EC2 Instance Metadata Service.");


            string firstRole = null;

            foreach (var role in securityCredentials.Keys)

            {

                firstRole = role;

                break;

            }


            if (string.IsNullOrEmpty(firstRole))

                throw new AmazonServiceException("Unable to get EC2 instance role from EC2 Instance Metadata Service.");


            var metadata = securityCredentials[firstRole];

            if (metadata == null)

                throw new AmazonServiceException("Unable to get credentials for role \"" + firstRole + "\" from EC2 Instance Metadata Service.");


            return new ImmutableCredentials(metadata.AccessKeyId, metadata.SecretAccessKey, metadata.Token);

        }

Other way to use credentials is from Profile if someone has already installed AWS CLI

        private static AWSCredentials GetDefaultAwsCredentialsFromProfile()

        {

            var credentialProfileStoreChain = new CredentialProfileStoreChain();

            if (credentialProfileStoreChain.TryGetAWSCredentials("default", out var defaultCredentials))

                return defaultCredentials;


            return null;

        }



Helpful threads:

c# - How to set credentials on AWS SDK on NET Core? - Stack Overflow

Credential Loading and the AWS SDK for .NET (Deep Dive) - Steve Gordon - Code with Steve (stevejgordon.co.uk)

 

How to get metadata.

HowTo: Get Amazon EC2 Instance Metadata - Dowd and Associates

Authenticating to AWS with Instance Metadata | by Yevgeniy Brikman | Gruntwork

AWS Access Keys - A Reference - Nick Jones (nojones.net)

Doing AWS STS the right way. - Short Term Security · Archer Imagine

Credential and profile resolution - AWS SDK for .NET (amazon.com)


Posted by at No comments:
Subscribe to: Posts (Atom)