IAM security exception when using DynamoDB in a virtual machine

Question

I'm using Visual Studio to create a ASP.NET project which uses DynamoDB with the Amazon .NET SDK. I've installed the Amazon Visual Studio toolkit and created a default profile with the secret/key in the .NET Encrypted Store.

When I run the ASP.NET program locally on my development machine inside Visual Studio everything works just fine. When I deploy the same project to a virtual machine (running on the local LAN) and when IIS tries to execute the code, it throws an exception:

   Amazon.Runtime.AmazonServiceException: Unable to get IAM security credentials from EC2 Instance Metadata Service.
   at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.FetchCredentials()
   at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.GetCredentials()
   at Amazon.Runtime.Internal.Util.SdkCache.CacheKey.Create(AmazonServiceClient client, Object cacheType)
   at Amazon.Runtime.Internal.Util.SdkCache.GetCache[TKey,TValue](AmazonServiceClient client, Object cacheIdentifier, IEqualityComparer`1 keyComparer)
   at Amazon.DynamoDBv2.DocumentModel.Table.LoadTableInfo()
   at Amazon.DynamoDBv2.DataModel.DynamoDBContext.GetUnconfiguredTable(String tableName)
   at Amazon.DynamoDBv2.DataModel.DynamoDBContext.GetTargetTable(ItemStorageConfig storageConfig, DynamoDBFlatConfig flatConfig, DynamoDBConsumer consumer)
   at Amazon.DynamoDBv2.DataModel.DynamoDBContext.ConvertQueryHelper[T](DynamoDBFlatConfig currentConfig, ItemStorageConfig storageConfig, QueryFilter filter, List`1 indexNames)
   at Authentication.Controllers.AuthController.VerifyLicense(Object details)

This is clearly an issue with credentials but I can't figure out why it's behaving differently in the VM vs the local VS IDE. According to the DynamoDB docs, if you're using the default profile it should automatically embed the credentials into the program when you build/deploy it. It doesn't appear to be doing that.

The only code I have within the project related to the DynamoDB initialization is:

            AmazonDynamoDBConfig clientConfig = new AmazonDynamoDBConfig();
            clientConfig.RegionEndpoint = RegionEndpoint.USEast1;
            AmazonDynamoDBClient client = new AmazonDynamoDBClient(clientConfig); // using the "default" profile in Visual Studio which contains the AWS credentials

Is there a special directive to be added to the project or in the code to embed the Secret/Key credentials (which would be insecure) or am I missing something else? Should I be using Shared Credentials File instead of the .NET Encrypted Store when creating the profile in AWS Explorer in VS? (the documentation is very skimpy on the difference)

Answer 1

So I was able to piece together the solution, it depends on your environment.

Apparently AWS SDK doesn't embed the secret and key into the project. It only references the projects to the .NET Encrypted Store and the default profile (which is on the same machine where VS is installed).

If you want to use a DynamoDB project on a different machine (e.g. virtual machine) then you'll need to create a credential file which contains your secret and key and update your project/deployment to reference the locations of the credentials file (super unsecure).

I found examples here: Amazon.Runtime.AmazonServiceException: Unable to find credentials https://aws.amazon.com/blogs/developer/referencing-credentials-using-profiles/

Since I'm using SDK.NET, I was able to update the Web.Release.config file to include the following directive which updates the web.config file in the IIS to add the AWSProfilesLocation key which is then used by the project. This is only included in the Release web.config file since while debugging on the local machine VS uses the AWS .NET encrypted store.

<appSettings xdt:Transform="Replace">
    <add key="AWSProfilesLocation" value="C:\HOSTING_FILES\App_Data\credentials" />
  </appSettings>

A little trick I used was to save the credentials file to the App_Data directory in the VS project so when the project is deployed it automatically copies the latest credentials file to the virtual machine. Alternatively you can also create a directive to copy any folders you want while publishing: How do you include additional files using VS2010 web deployment packages?

If you're deploying to an AWS EC2 instance or Lambda then you don't need to include the credentials file since that information is already accessible to the project in the AWS environment: https://docs.amazonaws.cn/powershell/latest/userguide/specifying-your-aws-credentials.html https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/authentication-and-access-control.html