AWS GO SDK 承担分配给 EC2 实例的角色

Question

I am running a small go application inside ec2 instance. It access Amazon SQS as a consumer. I have configured keys at ~/.aws/credential file. The EC2 instance has been assigned an IAM role.

1. Can my go application use the IAM role assigned to the EC2 instance?
2. If yes, how that can be done using configurations without a code change?
3. If role is configured, should I still provide keys in somewhere?

Answer 1

If you used github.com/aws/aws-sdk-go-v2/config and config.LoadDefaultConfig() method to retrieve AWS credentials,

1. Yes. Your application will retrieve temporary credentials with IAM Role you assigned.
2. aws-sdk-go-v2 will retrieve credentials from instance metadata. Detailed retrieving process is described AWS official docs here . "How do roles for EC2 instances work" section describes the process as below.

When the application runs, it obtains temporary security credentials from Amazon EC2 instance metadata , as described in Retrieving Security Credentials from Instance Metadata . These are temporary security credentials that represent the role and are valid for a limited period of time.

With some AWS SDKs, the developer can use a provider that manages the temporary security credentials transparently. (The documentation for individual AWS SDKs describes the features supported by that SDK for managing credentials.)

Alternatively, the application can get the temporary credentials directly from the instance metadata of the EC2 instance. Credentials and related values are available from the iam/security-credentials/role-name category (in this case, iam/security-credentials/Get-pics) of the metadata. If the application gets the credentials from the instance metadata, it can cache the credentials.

Also you can refer to here about aws-sdk-go-v2's credential retrieval order.

3. You don't have to provide key. aws-sdk-go-v2 will retrieve it from EC2 instance metadata .