Search code examples
pythonamazon-web-servicesboto3boto

How to use boto3 without AWS Vault?

I have the following method that is working in Python:

def connect_s3_boto3():
    try:
        os.environ['AWS_PROFILE'] = "a9e"
        s3 = boto3.resource('s3')
        return s3
    except:
        raise

The issue is that works using ~/.aws/config:

[profile home]
aws_access_key_id=ID
aws_secret_access_key=SECRET
[profile a9e]
region=eu-west-1
role_arn=DAROLE
source_profile=home

So, I've a set of doubts. In a production environment where I want to use that method, I need to set AWS Vault? There is no other alternative? For example using IAM_ROLE as in boto2.

Solution

  • For code running on an Amazon EC2 instance:

    • Create an IAM Role and assign appropriate permissions
    • Associate the role with an Amazon EC2 instance
    • Any code running on the instance that calls an AWS SDK will automatically obtain credentials associated with the role
    • There is no need to put Access Key, Secret Key nor Role in the config/credentials files

    See: IAM Roles for Amazon EC2 - Amazon Elastic Compute Cloud

    If you are running code on a non-EC2 computer, then you will need entries in the config/credentials files. This will involve at minimum an Access Key and Secret Key associated with an IAM User. If you then wish to use an IAM Role, the code would need to AssumeRole() using those credentials.