stackoom
  简体   繁体   中英

Recommended way to get temporary AWS credentials? AWS.config or STS?

 原文  2018-01-28 23:25:28       javascript/ node.js/ amazon-web-services/ aws-sts/ aws-iam

Question

I'm using a third-party SDK that needs temporary AWS credentials to access AWS services. I'm using this SDK as part of an application that is running on EC2. All SDKs in my application need access to the same role, which is attached to my the EC2 instance. Below, I have listed two options I have found for getting temporary credentials. Which one of these options is the recommended way for getting temporary credentials for my third-party SDK?

AWS.config 

var AWS = require("aws-sdk");
AWS.config.getCredentials();
var creds = AWS.config.credentials

Security Token Service (STS) 

var sts = new AWS.STS();
var params = {
    RoleArn: "arn:aws:iam::123456789012:role/demo",
    RoleSessionName: "Bob",
};
sts.assumeRole(params, function(err, data) {
    var creds = data.Credentials;
});

1 answers

solution1
 4 ACCPTED  2018-01-29 03:25:51

Should in this case is a bit fluid, but when you launch an EC2 instance and assign it an instance profile, (somewhat) temporary credentials are made available as instance metadata . You access instance metadata via a local HTTP server bound on 169.254.169.254

eg curl http://169.254.169.254/latest/meta-data/ami-id

returns the AMI-ID of the running instance. AWS credentials associated with the instance profile assigned to the instance can be accessed in this manner.

Anything running on the instance can access this data, meaning that if you're trying to isolate the third-party SDK from your instance profile, you've already failed.

However, it doesn't sound like that's what you're trying to do. When you execute AWS.config.getCredentials(); , it uses the instance metadata (among other things ) to look up the credentials. This is advantageous because it allows you to supply the credentials in a variety of manners without changing the code that looks them up.

The STS use case, however, is if you want to temporarily change a given user to a particular role. The user you're requesting from must have the sts:AssumeRole permission and have the same permissions as the target role. This can be used for auditing purposes, etc.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to pass credentials to AWS STS GetSessionToken Upload to AWS S3 with Temporary Credentials In JavaScript aws-sdk upload with STS credentials - 403 error AWS Dynamodb Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1 In the AWS Javascript SDK, is there a way to test credentials? Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1 (credentials file is present) AWS javascript sdk can't upload to s3 using STS credentials Amazon AWS Error: Missing credentials in config node.js AWS Cognito: Can't get Credentials Heroku S3 missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1',
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM