9

I have a Java application which does adds files in S3. This application is running in a EC2 instance.

We are using IAM role. So we have attached the required IAM role to this EC2 instance.

Everything works perfect there.

But we would like to test the application locally in my laptop as well. It's hard to upload the application everytime to EC2 whenever I need to test it.

How can we switch dynamically without changing the code, so that I can test it my laptop (with accesskey and secretKey) as well as use IAM role in EC2?

sag
  • 5,333
  • 8
  • 54
  • 91
  • Not an answer to your question. If you really supposed to make it work in your local machine, then you should have your own user and it should be given access to all resources that your application. – Venkateswara Rao Jan 19 '19 at 15:47

3 Answers3

5

The AWS SDK uses a Credentials Provider Chain to locate credentials. The order differs by language, but generally it checks:

  • Environment Variables
  • Local configuration file
  • EC2 instance metadata

Therefore, if you want to run the application locally, you can either provide a credentials file or set credentials in Environment Variables. The code will automatically locate the credentials, just like it does on an EC2 instance.

References:

joliver
  • 131
  • 1
  • 8
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • This holds good if we use DefaultCredentialsProviderChain. But we are using InstanceProfileCredentialsProvider to make use of IAM Role. http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-roles.html InstanceProfileCredentialsProvider prefers the IAM role – sag Apr 12 '16 at 12:35
  • 3
    Switch to using the provider chain. It will use the instance profile provider automatically. – tedder42 Apr 12 '16 at 14:21
0

You can provide your own order for searching credentials by using: https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/AWSCredentialsProviderChain.html

So in your case, order would be:

  1. InstanceProfileCredentialsProvider or EC2ContainerCredentialsProviderWrapper
  2. AWSStaticCredentialsProvider or EnvironmentVariableCredentialsProvider.

Add all your providers to provider chain constructor, then pass it to AWS client.

BipinMandava
  • 1
  • 1
-1

If you are using docker like instances , then it would be easy if you set environment variables to docker run.

docker run --env-file=FILE

OR 

docker run -it --rm -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_KEY

Ref: https://hub.docker.com/r/pmcjury/aws-cli/

Venkateswara Rao
  • 5,242
  • 1
  • 18
  • 13
  • @sag is asking about the usage of IAM roles, not IAM users. this answer only shows how to pass in environment variables into a docker container. – steviesh Jan 17 '19 at 13:34
  • 2
    @steviejay , sorry missed that part. For using role based access, we need to pass AWS_SESSION_TOKEN as well. The value of it is continuously changes. But this is tedious effort and is not encouraged to use outside EC2(Where it is managed by AWS) Ref: https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html#output – Venkateswara Rao Jan 19 '19 at 15:44