User guide

ManualsBrandsAmazon ManualsComputer equipmentAWS SDK

111

112

113

114

115

116

117

118

119

120

Tutorial: Grant Access Using an IAM Role and the

AWS SDK for .NET

All requests to AWS must be cryptographically signed using credentials issued by AWS. Therefore, you

need a strategy for managing credentials for software that runs on Amazon EC2 instances.You must

distribute, store, and rotate these credentials in a way that keeps them secure but also accessible to the

software.

We designed IAM roles so that you can effectively manage AWS credentials for software running on EC2

instances.You create an IAM role and configure it with the permissions that the software requires. For

more information about the benefits of this approach, see IAM Roles for Amazon EC2 in the Amazon

EC2 User Guide for Microsoft Windows Instances and Roles (Delegation and Federation) in Using IAM.

To use the permissions, the software constructs a client object for the AWS service.The constructor

searches the credentials provider chain for credentials. For .NET, the credentials provider chain is as

follows:

• The App.config file

• The instance metadata associated with the IAM role for the EC2 instance

If the client does not find credentials in App.config, it retrieves temporary credentials that have the

same permissions as those associated with the IAM role. The credentials are retrieved from instance

metadata.The credentials are stored by the constructor on behalf of the customer software and are used

to make calls to AWS from that client object. Although the credentials are temporary and eventually expire,

the SDK client periodically refreshes them so that they continue to enable access. This periodic refresh

is completely transparent to the application software.

The following walkthrough uses a sample program that retrieves an object from Amazon S3 using the

AWS credentials that you've configured. Next, we create an IAM role to provide the AWS credentials.

Finally, we launch an instance with an IAM role that provides the AWS credentials to the sample program

running on the instance.

Walkthrough

• Create a Sample that Retrieves an Object from Amazon S3 (p. 108)

• Create an IAM Role (p. 110)

• Launch an EC2 Instance and Specify the IAM Role (p. 110)

• Run the Sample Program on the EC2 Instance (p. 110)

Create a Sample that Retrieves an Object from Amazon S3

The following sample code retrieves an object from Amazon S3. It requires a text file in an Amazon S3

bucket that you have access to. For more information about creating an Amazon S3 bucket and uploading

an object, see the Amazon Simple Storage Service Getting Started Guide. It also requires AWS credentials

that provide you with access to the Amazon S3 bucket. For more information, see Configuring AWS

Credentials (p. 9).

using System;

using System.Collections.Specialized;

using System.IO;

using Amazon;

using Amazon.S3;

using Amazon.S3.Model;

Version v2.0.0

108

AWS SDK for .NET Developer Guide

Tutorial: Using an IAM Role