How to set credentials on AWS SDK on NET Core?

Question

I'm new to AWS SDK and I'm trying to follow the AWS documentation, but gives little to none on what exactly I need to setup.

The official docs tell me to add this to the appsettings.json:

{
  "AWS": {
    "Profile": "local-test-profile",
    "Region": "us-west-2"
  }
}

And then create the client:

var options = Configuration.GetAWSOptions();
IAmazonS3 client = options.CreateServiceClient<IAmazonS3>();

This causes an exception to be thrown saying it cannot find the credentials. Where do I put the Api ID and Key? What is this profile?

Please, bear in mind I have no preferences on how to set this up. I'm just trying to follow the official documentation for .NET Core, and their only example doesn't work. The docs seem to imply I should have prior knowledge of many of their terms and settings or that I'm migrating an existing app and already have everything setup.

Can someone please point me to what is missing from this example just to make the API correctly connect to AWS?

https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/credentials.html This link explains the best! — Shiv, Aug 23 '18 at 13:20

score 53 · Answer 1 · edited Jun 06 '18 at 20:44

53

Maybe this is too late for you but if you are using docker or have some other environment/setup where it's not possible/easy to use AWS profiles then you can still use environment vars. Eg:

var awsOptions = Configuration.GetAWSOptions();
awsOptions.Credentials = new EnvironmentVariablesAWSCredentials();
services.AddDefaultAWSOptions(awsOptions);
services.AddAWSService<IAmazonS3>();

Then set AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY & AWS_REGION in your environment.

It seems that Amazon have made this harder to find in the docs than it needs to be.

Running in AWS for reals is ok because you should be using a role but if your using docker for dev then setting up a profile in the container is a PITA.

edited Jun 06 '18 at 20:44

berkeleybross

1,314
2
13
27

answered Jan 18 '18 at 01:59

Jonesie

6,997
10
48
66

This is a really helpful answer if you're not on windows, we're deploying to a non windows kubernetes cluster and this is the approach which seems to work best there. – dougajmcdonald Jan 30 '18 at 15:55
1

I really want a single thing that will search all the possible places for credentials. The standard way does this but does not search the environment. Sad! – Jonesie Jan 30 '18 at 23:07
1

Yeah that would be great! Also the .net client almost assumes you are running it on windows and can use profiles which is quite niave considering it's a PCL/.Net core compatible library – dougajmcdonald Jan 31 '18 at 06:51
6

should mention that the extension method you're using here exists in the `AWSSDK.Extensions.NETCore.Setup` nuget package – MrTristan Feb 10 '20 at 20:40
@Jonesie what will happen if the key_id and access_key are changed while my application is running , how do i refresh them in my code to access s3. – kannangokul Jan 12 '21 at 15:00
@kannangokul If your container is running outside of AWS then you will need a restart. Inside of AWS (eg, ECS or EC2) then you should be using a role and not access key/secret key. You can also use a role outside of AWS I think, but this gets messy and you will still need a profile or access/secret keys. – Jonesie Jan 12 '21 at 19:33
@Jonesie yeah i was wondering if there is any other option outside aws environment and unfortunately i couldn't find any easy solution . i just wanted to double check since i am relatively new to AWS and thanks for confirming the same – kannangokul Jan 14 '21 at 15:18

score 23 · Accepted Answer · answered Apr 05 '17 at 23:34

23

The json file is $"appsettings.{env.EnvironmentName}.json", so you should call it appsettings.Development.json and have the environment variable set.

Did you define your"local-test-profile" profile in the AWS credentials file.

Should be in C:\Users\{USERNAME}\.aws\credentials

[local-test-profile]
aws_access_key_id = your_access_key_id
aws_secret_access_key = your_secret_access_key

If you don't want it in the default location, you can set the 'ProfilesLocation' json config file.

answered Apr 05 '17 at 23:34

JAZ

1,050
6
15

5

Thanks. No, I didn't define this profile because I didn't know I had to. This is not clear in the documentation at all. So what is missing from the docs is that there should be this ini-like file with the access key and secret in a specific place for it to look. – Natan Apr 06 '17 at 14:55
1

What {USERNAME} folder should be used for a web app? What's the easiest way to find this - I've tried Administrator, the user listed in task manager/Details/w3wp.exe - none work. This works on dev machine, can't get to work in production. Also can't get ProfilesLocation working in .net core mvc 2. – niico Apr 16 '18 at 10:16
3

You shouldn't be blamed, to get to know how to manage profiles you need to jump around 5 different articles till you get to the right one. AWS does have documentation, it just happens to be very unintuitive for almost every service in my opinion. – Carlos Jimenez Bermudez Dec 18 '20 at 03:31

score 17 · Answer 3 · answered Jun 01 '20 at 16:24

This helps to avoid getting credentials from environment using the appsettings for development purpose

var awsOption = Configuration.GetAWSOptions();
    awsOption.Credentials = new BasicAWSCredentials(Configuration["AWS:AccessKey"], Configuration["AWS:SecretKey"]);
    services.AddDefaultAWSOptions(awsOption);

Ankush Jain · Answer 4 · 2022-06-17T06:29:54.223

AWS SDK for .NET uses following order to load credentials:

1. `AWSOptions.Credentials` property

AWSOptions awsOptions = new AWSOptions
{
    Credentials = new BasicAWSCredentials("yourAccessKey", "yourAccessSecret")
};
builder.Services.AddDefaultAWSOptions(awsOptions);

2. `AWSOptions.Profile` property

AWSOptions awsOptions = new AWSOptions
{
    Profile = "custom",
    ProfilesLocation = @"c:\temp\credentials"
};
builder.Services.AddDefaultAWSOptions(awsOptions);

If the profile location is not specified, it will look at the default location C:\Users\.aws\credentials.

3. Credential Profile Store Chain

If both AWSOptions.Credentials and AWSOptions.Profile are not supplied or AWSOptions object itself is null. In this case, credential profile name will be loaded from the environment variable AWS_PROFILE.

Profile Name: If there is no such AWS_PROFILE environment variable, then default will be used as a profile name.
Profile Location: C:\Users\.aws\credentials

4. Environment Variables AWS Credentials

If SDK still hasn't got the credentials, then it checks for the following environment variables to load the AWS credentials.

ENVIRONMENT_VARIABLE_ACCESSKEY = "AWS_ACCESS_KEY_ID";     
ENVIRONMENT_VARIABLE_SECRETKEY = "AWS_SECRET_ACCESS_KEY";        
ENVIRONMENT_VARIABLE_SESSION_TOKEN = "AWS_SESSION_TOKEN";

5. EC2 Instance Profile / ECS Task Profile

Finally, this is the most important place where the SDK looks for the credentials. This would be the best place for the applications that are running in the AWS environment. In this case, SDK loads the AWS credentials from the EC2 instance profile or ECS task role.

I have also written a blog on the same topic, you can checkout that from here - Understanding Credential Loading in AWS SDK for .NET

This is a great post. I tried the first option but got an exception about missing Authentication Token. — JasonDWilson, Aug 23 '23 at 15:51

Hasan · Answer 5 · 2017-03-27T18:15:10.053

-1

Same documentation also includes a section for setting up the credentials. Check it out here http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html

It doesn't give an example of setting up the credentials using the appSettings.json file because they don't think it's the right (secure) way to do it.

Here is from the introduction part of the section about setting up the credentials:

Don't put literal access keys in your application, including the project's App.config or Web.config file. If you do, you create a risk of accidentally exposing your credentials if, for example, you upload the project to a public repository.

edited Mar 27 '17 at 18:15

answered Mar 27 '17 at 18:10

Hasan

2,444
3
30
44

This documentation doesn't have a single example on how to set this up in appsettings.json. – Natan Mar 27 '17 at 18:12
2

@Natan that's because it's not the right way to do it. – Hasan Mar 27 '17 at 18:15
4

That doesn't actually answer the question. It's actually part of the problem. I'm new to this SDK, the example provided doesn't work and I have no idea what I'm doing wrong. Any chance you can be more helpful? What should I be doing? Can you give an example on how to make their sample code work? At this point I just need to understand how to run their sample code. – Natan Mar 27 '17 at 18:21
3

Just to give some feedback, for some reason you're under the impression I want to add the ID and key to AppSettings. I don't. I just need to understand how to set this up using asp.net core, and so far I have no idea what is missing there. – Natan Mar 28 '17 at 21:08
1

The docs do mention this "BasicAWSCredentials that are created from the AWSAccessKey and AWSSecretKey AppConfig values, if they’re available." However it doesn't appear to work. Also I don't see a problem with putting credentials in User Secret. That's just as secure as .aws\credentials – Snæbjørn Feb 26 '21 at 14:47

How to set credentials on AWS SDK on NET Core?

5 Answers5

1. `AWSOptions.Credentials` property

2. `AWSOptions.Profile` property

3. Credential Profile Store Chain

4. Environment Variables AWS Credentials

5. EC2 Instance Profile / ECS Task Profile

Linked

How to set credentials on AWS SDK on NET Core?

5 Answers5

1. AWSOptions.Credentials property

2. AWSOptions.Profile property

3. Credential Profile Store Chain

4. Environment Variables AWS Credentials

5. EC2 Instance Profile / ECS Task Profile

Linked

1. `AWSOptions.Credentials` property

2. `AWSOptions.Profile` property