AWS S3 not loading document from API call using SDK

0

I am using AWS S3 as a block storage device to store mty documents. We were using AccessKey and SecretKey combination from configuration files to connect to S3 and retrieve a document. So far so good. But, now, our company has redefined its policy to ensure more security. hence, we no longer will be given the Accesskey and SecretKey. Instead, we are asked to load the documents/access documents using Assume Role provided by AWS. We have applications accessing these docs from S3 using Java (JDK 21) and .NET (5.0.0). The SDK versions we use for Java are:

    <dependency>
        <groupId>software.amazon.awssdk</groupId>
        <artifactId>sts</artifactId>
        <version>2.25.26</version>
    </dependency>

    <dependency>
        <groupId>software.amazon.awssdk</groupId>
        <artifactId>s3</artifactId>
        <version>2.24.9</version>
        <scope>compile</scope>
    </dependency>

   Similarly for .NET we are using the library:

AWSSDK.S3 3.7.402.10 AWSSDKSecurityToke 3.7.400.19

I have multiple configurations defined, according to the needs of the environment. I am loading this in the Java code using -Ds-ring.profiles.active=<value> and in the .NET using the environment variable ASPNETCORE_ENVIRONMENT.

How do I make sure that the access is smooth in both the Java and .NET environment? Right now, in .NET I get the error message saying: 'AccessKey is invalid for this request'.

It would help, if you can let me know the correct way to access S3 using AssumeRole in both .NET and in Java.

Thanks & Regards, ~Venki

2 Answers
0

Hi,

You will have to have assumed a role before each access to S3 from whichever place you run the code: your laptop, EC2 instance, ECS container, Lambda function, etc.

So, it means that you will have to touch your application code to make sure that you've called STS AssumeRole before each S3 access. And you may have to renew this AssumeRole as it lasts only a time given in the role definition.

Here is a full example of what you have to do for an EC2 instance accessing S3 via a role: https://medium.com/@ernestosafo11/accessing-s3-with-aws-iam-roles-872621e31037

You will have to make sure to update your execution roles so that 1/ they get access to S3 or 2/ they get the permission needed to assume the role giving access to S3 in cascade of the execution role.

A useful command to add to your code is STS GetCallerIdentity wherever you manage AccessDenied exception: it will help you understand under which incorrect principal you access S3 so that you can fix credentials.

And yes, the security posture of your company will be improved by using transient roles instead of permanent credentials

Best,

Didier

profile pictureAWS
EXPERT
answered 20 days ago
profile picture
EXPERT
reviewed 19 days ago
  • Hi Didler, Thank you for the response. But, it still doesnt answer my actual question. Any sample code to enable AssumeRole access using .NET and Java SDK libraries?

    Thanks & Regards, ~Venki

0

Where are you running your Java code? Are you doing that on an AWS-provided compute platform, such as an EC2 instance or Lambda function, or are you running it on your laptop or a server hosted on premises or elsewhere outside AWS?

EXPERT
Leo K
answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions