Configure Named AWS Profile & Usage in Applications — AWS CLI
Access to any of the AWS Services will require the credentials to Authenticate the resources, Also these credentials must have the permission to the resources you are about to access.
Prerequisites
- Basic Idea on IAM and How it works
- You should have the AWS CLI installed in your computer or server, If not please use the link to do.
Open the cmd prompt after installing the AWS CLI.
It is not advisable to store the Secret key and Access Key in the application’s configuration file, as it can be mishandled. — AWS(Best Practices)
What is AWS Profile ?
Profile is the set of the Access Key, Secret Key with the region details of the IAM User, Which can be used to connect to the resource of the AWS Services.
Create Default Profile
We can use the aws configure command to configure or create the default profile in the system,
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/EXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: textif we have multiple applications in the server , each of them are using different AWS Services (S3,SQS,etc), then we can’t provide the access to all the resources to the single user (It’s not advised to grant permission in this manner).
In this case we need to have multiple profiles for different resources so that the application will only have the restricted access to the resources.
Create Named Profiles
We can create the named profile using the aws configure command in the below manner,
$ aws configure --profile s3User
AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/EXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: textWe can configure the profile based on the usage of the application, Check the best practice guide for handling AWS Access Keys for more detail information.
Credentials File
The profiles we create using the AWS CLI is stored in the file inside the .aws folder under the current user, You can check them with the below command
%userprofile%/.aws
or
C:\Users\[UserName]\.awsThe credentials will be stored in two files config & credentials.
You can change the location of the shared credentials file by setting the AWS_SHARED_CREDENTIALS_FILE environment variable.
The config file consists of the Profile name , the region of the profile, Role ARN etc, whereas the credentials file consists of the Access Key & Secret Key
Also we can check the list of profiles stored in the file using the list command.
aws configure list [--profile profile-name]If the — profile profile-name is not provided, it get the default profile
$ aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ***************ABCD config_file ~/.aws/config
secret_key ***************ABCD config_file ~/.aws/config
region us-west-2 env AWS_DEFAULT_REGIONUsage of Profile in Applications (.Net)
The Named profile we created can be configured in our application via Web.Config or App.Config,
<configuration>
<appSettings>
<add key="AWSProfileName" value="development"/>
</appSettings>
</configuration>By default the the AWS SDK will check the AWSProfileName in the settings and find the matching credentials from the .aws folder of the user profile. In some case if your credentials file is in different location then use the AWSProfilesLocation settings.
<configuration>
<appSettings>
<add key="AWSProfileName" value="development"/>
<add key="AWSProfilesLocation" value="PATH_TO_Foler\credentials"/>
</appSettings>
</configuration>Also we can use the aws element in the configuration files as mentioned below,
<configuration>
<configSections>
<section name="aws" type="Amazon.AWSSection,AWSSDK.Core"/>
</configSections>
<aws profileName="development" profilesLocation="C:\PATH_TO_Foler\credentials"/>
</configuration>
