2

I have multiple AspNetCore applications running on a Windows Server 2016 EC2. All these applications require to assume different IAM roles based on their permissions.

These applications run under the local system account and since the profile file location C:\Users\<user>\.aws\config is not applicable to the system user, it's not clear from the docs how to specify the role profile name per application. Without specifying the role profile, the applications will assume the EC2 instance profile role which is not what I want.

If I was running the application as a local user, following configuration works

Credentials file C:\Users\<user>\.aws\credentials 

[applicationuser]
aws_access_key_id = xxxxxxxx
aws_secret_access_key = yyyyyyyy

Profile config file C:\Users\<user>\.aws\config

[profile ApplicationA]
role_arn = arn:aws:iam::11111111111:role/ApplicationA
source_profile = applicationuser

[profile ApplicationB]
role_arn = arn:aws:iam::11111111111:role/ApplicationB
source_profile = applicationuser

Any ideas on how this can be achieved when the applications are run under local system account in an EC2 which has an instance profile?

ubi
  • 4,041
  • 3
  • 33
  • 50
  • Your application code would need to either specify the profile name in each AWS SDK client object initialization, or explicitly set the `AWSConfigs.AWSProfileName` value before initializing any AWS SDK client objects. This is stated in the documentation you linked. – Mark B Aug 02 '18 at 15:37

1 Answers1

1

The normal way to provide credentials to applications running on an Amazon EC2 instance is to assign an IAM Role to the instance. Temporary credentials associated with the role when then be provided via Instance Metadata. The AWS SDKs will automatically use these credentials.

However, this only works for one set of credentials. If you wish to use more than one credential, you will need to provide the credentials in a credentials file.

The AWS credentials file can contain multiple profiles, e.g. 

[default]
aws_access_key_id = AKIAaaaaa
aws_secret_access_key = abcdefg

[user2]
aws_access_key_id = AKIAbbbb
aws_secret_access_key = xyzzzy

As a convenience, this can also be configured via the AWS CLI:

$ aws configure --profile user2
AWS Access Key ID [None]: AKIAbbbb
AWS Secret Access Key [None]: xyzzy
Default region name [None]: us-east-1
Default output format [None]: text

The profile to use can be set via an Environment Variable:

Windows: set AWS_PROFILE="user2"
R. Patel
  • 49
  • 6