By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to connect to AWS services using long-term credentials (IAM user) ?

0

I am planning to publish my application in the AWS Marketplace. I have 2 docker images, one is for Lambda function (backend) and another for ECS Fargate instnace (UI). We deployed it in the ECS Fargate instance and attached Load Balancer to it. Also i am a IAM user not the Root user (having MFA Authentication). So i am generating temporary credentials every time. In my code if i pass Access key, Secret access key, Session token, Region name then only I was able to connect to AWS services. But I want to use long-term credentials because if Customers deploy our application in their instance then they cannot generate the temporary credentials every-time. They have to use long term credentials only. How to connect to AWS services using long-term credentials (permanent credential)? How can i pass it in my code?

const s3 = new S3Client({
  credentials: {
    accessKeyId: process.env.AWS_ACCESS_KEY,
    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
    sessionToken: process.env.AWS_SESSION_TOKEN 
  },
  region: process.env.REGION
});
Topics
ServerlessComputeContainersSecurity, Identity, & ComplianceAWS Marketplace
Tags
AWS LambdaAWS FargateAWS IAM Identity CenterAWS Marketplace
Language
English
Shraddha
asked 7 months ago420 views
2 Answers
0

Using long-term credentials is an anti-pattern and we don't recommend it. There are many drawbacks to long-term credentials - if you have hundreds of customers then you should (by good practice) have hundreds of different credentials that you deploy. That's not going to be easy in the marketplace (because you're going to have a single image to deploy) but you also don't want to have a single set of credentials because if you need to change, revoke or otherwise manage them you'll affect all of your customers.

In this case: EC2 instances always have access to short-term credentials via the Instance Metadata Service (IMDS). And in each customer account the instance can have a role assigned to it.

What you can do is have your code assume a rule in your account. That way what you're hard-coding into your system is an account number and a role name - but no credentials.

In the EC2 role (in the customer account) they can specify that the instance is allowed to assume the role in your account. This gives them control over what their instance is doing.

In your application role (in your account) you can list the accounts and roles that are allowed to assume that role. This gives you control over who has access and what permissions they have.

None of this requires long-term credentials.

More information is in the documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

profile pictureAWS
EXPERT
Brettski-AWS
answered 7 months ago
  • Shraddha
    7 months ago

    I basically have pull access policy to both the services. From my local I am trying to connect to the Lambda function and trying to get the result while doing , i modified the code according to what you told . Also i am not using any credentials and i have full access to Lambda policy but now it's saying i don't have enough permission to do it. But as soon as I pass my credentials such as access key, secret access key and session token, it's working for me. For now it's working for me but what about tomorrow? the credentials will expire right? In that case, how will the user access my code? if it's expires user might have to redploy the cloudformation template? Can you please clarify on this?

  • Brettski-AWS EXPERT
    7 months ago

    Temporary credentials do expire - but the AWS SDKs (when running on EC2 instances) will automatically get new credentials for you (in most cases). Where you are assuming a cross-role account your code will need to deal with that - and get new credentials at (or before) expiry time. That adds a bit of complexity for you but it's worth it in the long run because you don't have the disadvantages I've mentioned of having long-term credentials everywhere.

0

Hi,

As a security best practice in IAM we should have workloads to use temporary credentials with IAM roles to access AWS rather than leveraging long-term credentials. Your workload can have applications, operational tools, and components that require an identity to make requests to AWS services, such as requests to read data. These identities include machines running in your AWS environments, such as Amazon EC2 instances/ECS/Fargate or AWS Lambda functions.

You can also manage machine identities for external parties who need access. To give access to machine identities, you can use IAM roles. IAM roles have specific permissions and provide a way to access AWS by relying on temporary security credentials with a role session. Additionally, you might have machines outside of AWS that need access to your AWS environments. For machines that run outside of AWS you can use AWS Identity and Access Management Roles Anywhere - https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html.

Please take a look at the following link to get an idea on Task execution IAM role granting access to Fargate to make AWS API calls - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html AND This link which gives an idea on Lambda execution IAM role granting access to various AWS services and resources. https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

Cross Account IAM Role references:

https://repost.aws/knowledge-center/lambda-function-assume-iam-role

https://repost.aws/knowledge-center/ecs-iam-role-another-account

AWS
Shekhar S
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content