Retrieve IAM Role from Instance Profile for Use With v4 Signer

Question

I'm trying to achieve the same result as the Ruby example code I have using the AWS .NET SDK and am running into trouble querying the instance profile credentials. It seems the .NET SDK hides the credential provider when querying the instance profile. However, I need to get to that so I can use it to sign an STS request and pass that to an API that uses that information for authentication purposes. So far I haven't found a way to query the instance profile and assume the IAM EC2 Role.

Does anyone have a good idea of how this would be done?

Ruby:

request = Aws::Sigv4::Signer.new(
  service: 'sts',
  region: 'us-east-1',
  credentials_provider: Aws::InstanceProfileCredentials.new
).sign_request(
  http_method: 'GET',
  url: 'https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15'
).headers

What I am trying to avoid is storing any credentials on the instance. However, the signature for the v4 signer method is:

var signer = new Amazon.Runtime.Internal.Auth.AWS4Signer();
signer.SignRequest(IRequest request, IClientConfig clientConfig, RequestMetrics metrics, string awsAccessKeyId, string awsSecretAccessKey);

This code will be running on EC2 instances.

Any help would be appreciated!

Where is this code running? Is it on AWS compute (e.g. EC2, ECS, or Lambda)? — jarmod, Feb 15 '19 at 17:47

score 0 · Accepted Answer · answered Feb 17 '19 at 07:49

0

I was able to use the Amazon.Runtime.InstanceProfileAWSCredentials.GetCredentials() call to get temporary credentials that I could use to query other things as the IAM role.

answered Feb 17 '19 at 07:49

dataplex

1
2

The standard way to provide credentials to apps on EC2 is to launch the EC2 instance with an appropriate IAM role. All SDKs can then be used on that instance without having to explicitly supply credentials. – jarmod Feb 19 '19 at 14:15

Retrieve IAM Role from Instance Profile for Use With v4 Signer

1 Answers1