-1

I'm trying to create a botocore session (that does not use my local AWS credentials on ~/.aws/credentials). In other words, I want to create a "burner AWS account". With that burner credentials/session, I want to setup an STS client and with that client, assume a role in order to access a DynamoDB database. Can someone provide some example code which accomplishes exactly this?

Because if I want my system to go into production environment, I CANNOT store the AWS credentials on Github because AWS will scan for it. I'm trying to implement a workaround such that we don't have to store ~/.aws/credentials file on Github.

Mark B
  • 183,023
  • 24
  • 297
  • 295
karkir subu
  • 33
  • 5
  • Is your code going to run on an Amazon EC2 instance? If so, simply assign an IAM Role to the instance instead of storing credentials. Or is the code going to be deployed on a non-EC2 computer? You should _never_ store a credentials file on github. – John Rotenstein Jul 13 '22 at 02:32
  • The code will most likely be deployed to ECR – karkir subu Jul 13 '22 at 03:20
  • Amazon ECR is a container registry. When deployed, it would normally go to Amazon EMR. The same would apply to EMR -- assign an IAM Role to the container and credentials will be automatically supplied to the virtual machine. No need to use credentials anywhere. – John Rotenstein Jul 13 '22 at 04:01
  • @john-rotenstein, Can you point to code example that would allow me to create a boto session and be able to use the credentials automatically supplied to ECR? I'm trying to setup some "burner AWS account" that can assume a role that has full access to Dynamo DB. How would I go about doing that WITHOUT having to store credentials? – karkir subu Jul 13 '22 at 04:11
  • [IAM roles for tasks - Amazon Elastic Container Service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) – John Rotenstein Jul 13 '22 at 04:18
  • Thanks for the link. I think I found out that for my use case, when I'm deploying to ECS, I can just configure the ecsTaskExecutionRole to have policy of accessing my dynamo DB cluster, so then when boto searches for the credentials in boto3.resource("dynamodb"), from my understanding, it will search for ecsTaskExecutionRole in deployment state. Am I msitaken on this? – karkir subu Jul 13 '22 at 04:34
  • 1
    You are correct. Credentials are automatically provisioned and boto3 will automatically use them. Magic! – John Rotenstein Jul 13 '22 at 05:19

1 Answers1

3

The running a task in Amazon ECS, simply assign an IAM Role to the task.

Amazon ECS will then generate temporary credentials for that IAM Role. Any code that uses an AWS SDK (such as boto3 for Python) knows how to access those credentials via the metadata service.

The result is that your code using boto3 will automatically receive credentials that have the permissions associated with the IAM Role assigned to the task.

See: IAM roles for tasks - Amazon Elastic Container Service

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470