dongwenyou4298
2019-01-29 23:15
浏览 111
已采纳

我的应用程序是否需要在ec2实例上请求一个角色来配置会话或将其保留为空?

I'm trying to use the aws-sdk-go in my application. It's running on EC2 instance. Now in the Configuring Credentials of the doc,https://docs.aws.amazon.com/sdk-for-go/api/, it says it will look in

*Environment Credentials - Set of environment variables that are useful when sub processes are created for specific roles.

* Shared Credentials file (~/.aws/credentials) - This file stores your credentials based on a profile name and is useful for local development.

*EC2 Instance Role Credentials - Use EC2 Instance Role to assign credentials to application running on an EC2 instance. This removes the need to manage credential files in production.`

Wouldn't the best order be the reverse order? But my main question is do I need to ask the instance if it has a role and then use that to set up the credentials if it has a role? This is where I'm not sure of what I need to do and how.

I did try a simple test of creating a empty config with essentially only setting the region and running it on the instance with the role and it seems to have "worked" but in this case, I am not sure if I need to explicitly set the role or not.

awsSDK.Config{
    Region:      awsSDK.String(a.region),
    MaxRetries:  awsSDK.Int(maxRetries),
    HTTPClient:  http.DefaultClient,
}

I just want to confirm is this the proper way of doing it or not. My thinking is I need to do something like the following

   role = use sdk call to get role on machine
   set awsSDK.Config { Credentials: credentials form of role,
            ...
       }

   issue service command with returned client.

Any more docs/pointers would be great!

图片转代码服务由CSDN问答提供 功能建议

我正在尝试在应用程序中使用aws-sdk-go。 它在EC2实例上运行。 现在,在文档的配置凭据中, https://docs.aws。 amazon.com/sdk-for-go/api/ ,它表示它将查找

  *环境凭据-一组环境变量,当子菜单 
 
 *共享凭据文件(〜/ .aws / credentials)-此文件根据配置文件名称存储您的凭据,对于本地开发很有用。
 
 * EC2实例角色凭据 -使用EC2实例角色将凭据分配给在EC2实例上运行的应用程序。 这样就不需要管理生产中的凭证文件。
   
 
 

最佳顺序不是反向顺序吗? 但是我的主要问题是,是否需要询问实例是否具有角色,然后使用实例来设置凭据(如果它具有角色)? 这是我不确定要做什么以及如何做的地方。

我确实尝试了一个简单的测试,创建一个空的配置,实际上只设置了区域并在 具有该角色的实例,并且似乎已经“起作用”,但是在这种情况下,我不确定是否需要显式设置该角色。

  awsSDK.Config {  
地区:awsSDK.String(a.region),
 MaxRetries:awsSDK.Int(maxRetries),
 HTTPClient:http.DefaultClient,
} 
   
 
 < 我只是想确认这是否是正确的方法。 我的想法是我需要执行以下操作 
 
 
  role =使用sdk调用获取计算机上的角色
 set awsSDK.Config {凭据:角色的凭据形式,\  n ... 
} 
 
向返回的客户端发出服务命令。
   
 
 

再添加任何文档/指针都很棒!

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • dtbl1231 2019-01-29 23:29
    已采纳

    I have never used the go SDK, but the AWS SDKs I used automatically use the EC2 instance role if credentials are not found from any other source.

    Here's an AWS blog post explaining the approach AWS SDKs follow when fetching credentials: https://aws.amazon.com/blogs/security/a-new-and-standardized-way-to-manage-credentials-in-the-aws-sdks/. In particular, see this:

    If you use code like this, the SDKs look for the credentials in this order:

    1. In environment variables. (Not the .NET SDK, as noted earlier.)
    2. In the central credentials file (~/.aws/credentials or %USERPROFILE%.awscredentials).
    3. In an existing default, SDK-specific configuration file, if one exists. This would be the case if you had been using the SDK before these changes were made.
    4. For the .NET SDK, in the SDK Store, if it exists.
    5. If the code is running on an EC2 instance, via an IAM role for Amazon EC2. In that case, the code gets temporary security credentials from the instance metadata service; the credentials have the permissions derived from the role that is associated with the instance.
    打赏 评论
  • dounai9592 2019-01-29 23:43

    In my apps, when I need to connect to AWS resources, I tend to use an access key and secret key that have specific predefined IAM roles. Assuming I have those two, the code I use to create a session is:

    awsCredentials := credentials.NewStaticCredentials(awsAccessKeyID, awsSecretAccessKey, "")
    awsSession = session.Must(session.NewSession(&aws.Config{
                Credentials: awsCredentials,
                Region:      aws.String(awsRegion),
            }))
    

    When I use this, the two keys are usually specified as either environment variables (if I deploy to a docker container).

    A complete example: https://github.com/retgits/flogo-components/blob/master/activity/amazons3/activity.go

    打赏 评论

相关推荐 更多相似问题