Search code examples
amazon-web-servicesgoaws-sdk-go

Does my application need to ask for a role on ec2 instance to configure the session or leave it empty?

I'm trying to use the aws-sdk-go in my application. It's running on EC2 instance. Now in the Configuring Credentials of the doc,https://docs.aws.amazon.com/sdk-for-go/api/, it says it will look in

*Environment Credentials - Set of environment variables that are useful when sub processes are created for specific roles.

* Shared Credentials file (~/.aws/credentials) - This file stores your credentials based on a profile name and is useful for local development.

*EC2 Instance Role Credentials - Use EC2 Instance Role to assign credentials to application running on an EC2 instance. This removes the need to manage credential files in production.`

Wouldn't the best order be the reverse order? But my main question is do I need to ask the instance if it has a role and then use that to set up the credentials if it has a role? This is where I'm not sure of what I need to do and how.

I did try a simple test of creating a empty config with essentially only setting the region and running it on the instance with the role and it seems to have "worked" but in this case, I am not sure if I need to explicitly set the role or not.

awsSDK.Config{
    Region:      awsSDK.String(a.region),
    MaxRetries:  awsSDK.Int(maxRetries),
    HTTPClient:  http.DefaultClient,
}

I just want to confirm is this the proper way of doing it or not. My thinking is I need to do something like the following

   role = use sdk call to get role on machine
   set awsSDK.Config { Credentials: credentials form of role,
            ...
       }

   issue service command with returned client.

Any more docs/pointers would be great!

Solution

  • I have never used the go SDK, but the AWS SDKs I used automatically use the EC2 instance role if credentials are not found from any other source.

    Here's an AWS blog post explaining the approach AWS SDKs follow when fetching credentials: https://aws.amazon.com/blogs/security/a-new-and-standardized-way-to-manage-credentials-in-the-aws-sdks/. In particular, see this:

    If you use code like this, the SDKs look for the credentials in this order:

    1. In environment variables. (Not the .NET SDK, as noted earlier.)
    2. In the central credentials file (~/.aws/credentials or %USERPROFILE%.awscredentials).
    3. In an existing default, SDK-specific configuration file, if one exists. This would be the case if you had been using the SDK before these changes were made.
    4. For the .NET SDK, in the SDK Store, if it exists.
    5. If the code is running on an EC2 instance, via an IAM role for Amazon EC2. In that case, the code gets temporary security credentials from the instance metadata service; the credentials have the permissions derived from the role that is associated with the instance.