从 EC2 访问 DynamoDB

Question

I have a container running on EC2 which is currently running in a public VPC ( It cannot be changed right now) and, in order for this resource to access DynamoDB, I have created a user, limiting its access to my table in Dynamo and then I created access keys to use in my API calls.

My idea is store these secrets in secret manager and use its SDK from my EC2 to then perform the operations I want to.

However, it just seem like a lot of effort and, creating a specific user just to limit the permissions does not seem right for me.

Am i in the right way? What would be the most interesting approach to access the Dynamo programmatically from my EC2?

I have read somewhere that I could grant role permissions so my EC2 could access my Dynamo. Does that make sense?

Note: I have an ECS working along my EC2

I am new to AWS and used to work a lot with Azure but mostly with serverless applications where I could easily used the Identity Management feature to grant those permissions.

The details were all mentioned above.

Answer 1

I think it would be better to create an instance-profile, define it with the permissions you want for dynamodb, which is pretty much like an iam role and then when you start the instance, use that role. That means, you do not need to store credentials and this is generally the recommended way to access services from an instance over using access keys. Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html

Answer 2

I have done some search and found this article, it matches exactly your case (EC2 + Dynamo DB)

https://awstip.com/using-aws-iam-roles-with-ec2-and-dynamodb-7beb09af31b9

And yes for EC2, the correct approach is to create an IAM role and attach to your instance

Also the following command can be used to retrieve the associated credentials (AWS Key + AWS Secret) that are used by that IAM role

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<name-of-iam-role>