2

My application hosted on EC2 instance needs to make constant connection to SQS and any loss in connection would lead to data loss. This can be successfully done using IAM user Access key and secret access key. But I want to use IAM roles for the same. IAM roles uses temporary credentials, and rotates credentials periodically. I am not sure if my application would lose connection to SQS at the time when temporary credentials are expired and rotated.

Abhizer Saifee
  • 303
  • 4
  • 13
  • Sounds like your application architecture isn't resilient. It's very risky to rely on a this kind of architecture.. a network error or any EC2 system error would fail your system leading to data loss. I'd recommend re architecturing your app to withstand failure cases. – Anuruddha Jan 08 '18 at 07:05

2 Answers2

1

The temporary credentials associated with IAM roles have an expiration, but they are refreshed before the expiration occurs. This should not cause an issue unless your application does not properly check for the updated credentials when the expiration time approaches.

But a more fundamental factor in the question is that you may be unfamiliar with the underpinnings of the SQS API.

SQS does not rely on an authenticated "connection," so there is not a single connection that you can "lose." Technically, anyone can "connect" to SQS because the connection itself isn't what's authenticated. SQS authenticates each action independently -- every long poll request, every delete message action, etc., is authenticated by the service at the time it occurs. (If authentication fails, only the individual request fails.)

As long as your code uses appropriately fresh temporary credentials for each request it makes, using IAM roles will not impact your ability to continuously interact with the service.

any loss in connection would lead to data loss

You need to retry any errors that occur. Errors can happen for any number of reasons, but because SQS is interacted with by your code over HTTPS, each interaction with the service is not reliant on a continuous connection. You can (and should, but only for performance reasons) use HTTP keep-alives, but HTTPS doesn't depend on a single connection being continuously maintained.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
0

Yes, you can roles easily. No need for temporary credentials.

You can use ec2 IAM role. You can create a role where you can attach permissions for SQS and the same role can be attached to ec2 where your server application is hosted.

Reference fo the same - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

Arora20
  • 983
  • 10
  • 17
  • Note that using IAM roles, by definition, means you are using temporary credentials. When an EC2 instance role is used, the EC2 infrastructure periodically invokes the [`AssumeRole` action in AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) (STS) which provides a set of temporary credentials that is directly accessible to code running on your instance. These periodically expire, and your code needs to ask again for the updated credentials before that occurs. The SDKs implement this refresh automatically. – Michael - sqlbot Feb 07 '18 at 12:15