Dealing with Amazon Web Service Access Keys
Amazon Web Services ( AWS ) access keys are required to make API calls for the range of AWS services. These keys can be troublesome, as the tendency is to hard code the values in your software ( which many internet examples do ) or to use configuration files which hold them in plain text.
In many ways this is bad. The secret key once displayed to you ( as the user ) is never returned again, hence its importance can not be understated.
However there is a way around this problem and its associated with AWS Identity Access Management ( IAM ) roles and AWS EC2 Instances.
In many ways this is bad. The secret key once displayed to you ( as the user ) is never returned again, hence its importance can not be understated.
However there is a way around this problem and its associated with AWS Identity Access Management ( IAM ) roles and AWS EC2 Instances.
In the digram above an application hosted on an EC2 instance requires access to S3 Objects. If you use the AWS Java SDK you can create a S3 Client Object which has a constructor which receives the private and access keys.
AmazonS3Client s3Client = new AmazonS3Client(AWSCredentials creds);
The constructor for this client receives a AWSCredentials object which is built using the secret and access key.
However a S3 Client constructor does exist which takes no parameters. This is the one that you use in an application as shown in the diagram above.
Because the IAM Get S3 Role has been associated with the EC2 instance, you do not need to pass in the secret and access keys to the S3 Client object.
The application is given access to the S3 objects because the EC2 instance that it is executing on has those privileges.
Comments
Post a Comment