Authenticating to AWS

Information about authentication and configuration options for AWS

All Dapr components using various AWS services (DynamoDB, SQS, S3, etc) use a standardized set of attributes for configuration, these are described below.

This article provides a good overview of how the AWS SDK (which Dapr uses) handles credentials

None of the following attributes are required, since the AWS SDK may be configured using the default provider chain described in the link above. It’s important to test the component configuration and inspect the log output from the Dapr runtime to ensure that components initialize correctly.

region: Which AWS region to connect to. In some situations (when running Dapr in self-hosted mode, for example) this flag can be provided by the environment variable AWS_REGION. Since Dapr sidecar injection doesn’t allow configuring environment variables on the Dapr sidecar, it is recommended to always set the region attribute in the component spec.
endpoint: The endpoint is normally handled internally by the AWS SDK. However, in some situations it might make sense to set it locally - for example if developing against DynamoDB Local.
accessKey: AWS Access key id.
secretKey: AWS Secret access key. Use together with accessKey to explicitly specify credentials.
sessionToken: AWS Session token. Used together with accessKey and secretKey. When using a regular IAM user’s access key and secret, a session token is normally not required.

Alternatives to explicitly specifying credentials in component manifest files

In production scenarios, it is recommended to use a solution such as Kiam or Kube2iam. If running on AWS EKS, you can link an IAM role to a Kubernetes service account, which your pod can use.

All of these solutions solve the same problem: They allow the Dapr runtime process (or sidecar) to retrive credentials dynamically, so that explicit credentials aren’t needed. This provides several benefits, such as automated key rotation, and avoiding having to manage secrets.

Both Kiam and Kube2IAM work by intercepting calls to the instance metadata service.

Using instance role/profile when running in stand-alone mode on AWS EC2

If running Dapr directly on an AWS EC2 instance in stand-alone mode, instance profiles can be used. Simply configure an iam role and attach it to the instance profile for the ec2 instance, and Dapr should be able to authenticate to AWS without specifying credentials in the Dapr component manifest.

Authenticating to AWS when running dapr locally in stand-alone mode

When running Dapr (or the Dapr runtime directly) in stand-alone mode, you have the option of injecting environment variables into the process like this (on Linux/MacOS:

  1. FOO=bar daprd --app-id myapp

If you have configured named AWS profiles locally , you can tell Dapr (or the Dapr runtime) which profile to use by specifying the “AWS_PROFILE” environment variable:

  1. AWS_PROFILE=myprofile dapr run...

or

  1. AWS_PROFILE=myprofile daprd...

You can use any of the supported environment variables to configure Dapr in this manner.

On Windows, the environment variable needs to be set before starting the dapr or daprd command, doing it inline as shown above is not supported.

Authenticating to AWS if using AWS SSO based profiles

If you authenticate to AWS using AWS SSO, some AWS SDKs (including the Go SDK) don’t yet support this natively. There are several utilities you can use to “bridge the gap” between AWS SSO-based credentials, and “legacy” credentials, such as AwsHelper or aws-sso-util.

If using AwsHelper, start Dapr like this:

  1. AWS_PROFILE=myprofile awshelper dapr run...

or

  1. AWS_PROFILE=myprofile awshelper daprd...

On Windows, the environment variable needs to be set before starting the awshelper command, doing it inline as shown above is not supported.

Last modified February 16, 2021: Merge pull request #1235 from dapr/update-v0.11 (b4e9fbb)