Sign up or Log in
Support
Home
Jobs
Forums
Forge
Ideas
Members
Badges

[AdvancedAmazonS3] Use IAM Instance Roles instead of AccessKeys !! Please

Roles
AWS
AmazonEC2
iamroles
ec2
Roles
AWS
AmazonEC2
iamroles
ec2
New Post
Forge Component

(25)
Published on 2018-10-09 by Hanno
25 votes
Published on 2018-10-09 by Hanno

Hi,

Our team has recently install this S3 access plugin. While the plugin works and allow S3 access it does require an AccessKey to be managed. AccessKey can leak and they also age.


Can you guys leverage the IAM Instance Role when running from an EC2 Instance?

Normally, in the API if they key is not there it should revert to default IAM role.. you can simply allow no keys and if no keys you might use the default connection to the api.

Dislike(0)
Like(0)
Dislike(0)
Like(0)

I propose to change the code in the AdvancedAmazonS3.cs to replace the current blocks in every functions to use a global function to initialize the AmazonS3 client.


code as follow;

        /// <summary>

        ///  use this line in your code:            AmazonS3 client = getAmazonS3Client(sstoken, ssuseProxy, ssproxyDetails);

        /// </summary>

        /// <param name="sstoken"></param>

        /// <param name="ssuseProxy"></param>

        /// <param name="ssproxyDetails"></param>

        /// <returns></returns>

        private AmazonS3 getAmazonS3Client(RCAmazonTokenRecord sstoken, bool ssuseProxy, RCProxyDetailsRecord ssproxyDetails)

        {

            AmazonS3 client;


            if (ssuseProxy && IsValidProxyDetails(ssproxyDetails))

            {

                AmazonS3Config config = new AmazonS3Config();

                config.ProxyHost = ssproxyDetails.ssSTProxyDetails.ssServer;

                config.ProxyPort = ssproxyDetails.ssSTProxyDetails.ssPort;

                config.ProxyCredentials = new NetworkCredential(ssproxyDetails.ssSTProxyDetails.ssUsername, ssproxyDetails.ssSTProxyDetails.ssPassword);

                if (sstoken.ssSTAmazonToken != null)

                    client = AWSClientFactory.CreateAmazonS3Client(config);

                else

                    client = AWSClientFactory.CreateAmazonS3Client(sstoken.ssSTAmazonToken.ssAccessKey, sstoken.ssSTAmazonToken.ssSecretKey, config);

            }

            else

            {

                if (sstoken.ssSTAmazonToken != null)

                    client = AWSClientFactory.CreateAmazonS3Client();

                else

                    client = AWSClientFactory.CreateAmazonS3Client(sstoken.ssSTAmazonToken.ssAccessKey, sstoken.ssSTAmazonToken.ssSecretKey);

            }


            return client;

        }



Then replace the block of code in each function with a single line;

AmazonS3 client = getAmazonS3Client(sstoken, ssuseProxy, ssproxyDetails);


Also make the token not mandatory. This should allow to use the IAM Instance Roles instead of AccessToken when running on an EC2 instance.


Dislike(0)
Like(0)
Dislike(0)
Like(0)
Login to reply
Company
Corporate Site
Contacts
Support
Technical Support
Community Forums
 OutSystems© All rights reserved. Custom built with (h) and (o)