User guide

numbers of instances. It also doesn't work well for instances that are created by AWS on behalf of the

customer, such as Spot Instances or instances in Auto Scaling groups.

Another strategy is to embed the credentials as literal strings in the software itself. However, this means

that anyone who comes into possession of the software can scan through the code and retrieve the

credentials.

Yet another strategy is to create a custom Amazon Machine Images (AMI) with the credentials, perhaps

stored in a file on the AMI. However, with this approach anyone with access to the AMI automatically has

access to the credentials—which again creates an unnecessary security risk.

All of the above strategies also make it cumbersome to rotate (update) the credentials.The new credentials

either have to be re-copied to the Amazon EC2 instance or compiled into a new build of the software or

incorporated into the creation of a new AMI.

Use IAM Roles for Amazon EC2 Instances to

Manage Your Credentials

IAM roles for Amazon EC2 instances provides a solution.With IAM roles, a developer can develop software

and deploy it to an Amazon EC2 instance without having to manage the credentials the software is using.

You use the IAM console to create the IAM role and configure it with all the permissions that the software

requires. Permissions for IAM roles are specified in a way that is similar to permissions for IAM users.

For more information about specifying permissions, go to Using Identity and Access Management.

Amazon EC2 instances support the concept of an instance profile, which is a logical container for the

IAM role. At the time that you launch an Amazon EC2 instance, you can associate the instance with an

instance profile, which in turn corresponds to the IAM role. Any software that runs on the Amazon EC2

instance is able to access AWS using the permissions associated with the IAM role.

If you are using the AWS Management Console, you don't need to worry about instance profiles. The

IAM console creates one for you in the background whenever you create an IAM role.

To use the permissions associated with the instance profile, the software constructs a client object for an

AWS service, say Amazon Simple Storage Service (Amazon S3), using an overload of the constructor

that does not take any parameters. When this parameterless constructor executes, it searches the

"credentials provider chain." The credentials provider chain is the set of places where the constructor will

attempt to find credentials if they are not specified explicitly as parameters. For .NET, the credentials

provider chain is:

• App.config file

• Instance Metadata Service that provides the credentials associated with the IAM role for the Amazon

EC2 instance

If the client does not find credentials in the App.config file, it retrieves temporary credentials that have

the same permissions as those associated with the IAM role.The credentials are retrieved from Instance

Metadata.The credentials are stored by the constructor on behalf of the customer software and are used

to make calls to AWS from that client object. Although the credentials are temporary and eventually expire,

the SDK client periodically refreshes them so that they continue to enable access. This periodic refresh

is completely transparent to the application software.

Version v2.0.0

AWS SDK for .NET Developer Guide

Use IAM Roles for Amazon EC2 Instances to Manage

Your Credentials