By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is the best way to create S3 Client in NET app?

0

develop NET Core app working with S3. It works ok. I create S3 client using one of ways: regional endpoint only - in this case used stored on my computer profile accKey+secKey+regional endpoint - it works

var clients3 = new S3Client({
    region: bucketRegion,
    credentials: {accessKeyId, secretAccessKey},
    endpoint: 'https://my-bucket-name.s3.eu-north-1.amazonaws.com',
    forcePathStyle: true
  })

My question is: I will provide my app to customers. How they will use the app: with my keys or they should have a aws profile on every computer?

May be I need use acckey+secKey from app config and then customer can enter there its own keys? How should I provide Lambda NET6 working with S3: keys? What is the best way? What should I provide to a customer?

Topics
StorageServerlessCompute.NET on AWS
Tags
Amazon Simple Storage ServiceAWS Lambda.NET on AWS
Language
English
Oleg
asked 8 months ago399 views
2 Answers
1

Using the AWS access keys in a standalone .NET application (either a desktop one or a web one) is not a good idea. It would be similar to storing the user name and password in plain text in the client environment. The AWS access keys do not expire, so if somebody steals a key, they can use it for malicious purposes indefinitely (or until an administrator notices that something is wrong and disables the key).

If the number of the users of your application is small, or if they all belong to the same company/organization, you can use IAM Identity Center. With this option, you can manage the IAM Identity Center users yourself, or you can integrate them with a third-party identity provider (like Active Directory).

If the number of the users is large, or if you need to allow the users to register themselves, Amazon Cognito may be a better option.

If you need to access S3 inside a lambda function, then the lambda function should have the execution role with the corresponding permissions. In the lambda code, create the S3 client without specifying any credentials explicitly:

using var client = new AmazonS3Client(RegionEndpoint.GetBySystemName("eu-north-1"));

When the lambda is invoked, the AWS Lambda infrastructure will put the temporary credentials in the correct place (most likely in the environment variables), and AmazonS3Client will read them.

Oleksandr Krutykh
answered 8 months ago
0

A couple of references that might help with your scenario.

The answer above is absolutely correct. Using long-term credentials is definitely not a best practice because it increases your risk of unauthorized access. From the dev guide, check out the Configure SDK authentication topic (which is mainly about using IAM Identity Center).

In your scenario, would a service role help? (I'm not as familiar with them as I want to be, so I'm not sure.) See Service roles in the dev guide for a high-level look at them.

Finally, you can find some additional resources in the dev guide. See the Additional resources topic, the last sub-section, called "Other resources".

AWS
Paul-B-AWS
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content