Authenticating to AWS

Information about authentication and configuration options for AWS

All Dapr components using various AWS services (DynamoDB, SQS, S3, etc) use a standardized set of attributes for configuration via the AWS SDK. Learn more about how the AWS SDK handles credentials.

Since you can configure the AWS SDK using the default provider chain, all of the following attributes are optional. Test the component configuration and inspect the log output from the Dapr runtime to ensure that components initialize correctly.

AttributeDescription
regionWhich AWS region to connect to. In some situations (when running Dapr in self-hosted mode, for example), this flag can be provided by the environment variable AWS_REGION. Since Dapr sidecar injection doesn’t allow configuring environment variables on the Dapr sidecar, it is recommended to always set the region attribute in the component spec.
endpointThe endpoint is normally handled internally by the AWS SDK. However, in some situations it might make sense to set it locally - for example if developing against DynamoDB Local.
accessKeyAWS Access key id.
secretKeyAWS Secret access key. Use together with accessKey to explicitly specify credentials.
sessionTokenAWS Session token. Used together with accessKey and secretKey. When using a regular IAM user’s access key and secret, a session token is normally not required.

Important

You must not provide AWS access-key, secret-key, and tokens in the definition of the component spec you’re using:

  • When running the Dapr sidecar (daprd) with your application on EKS (AWS Kubernetes)
  • If using a node/pod that has already been attached to an IAM policy defining access to AWS resources

Alternatives to explicitly specifying credentials in component manifest files

In production scenarios, it is recommended to use a solution such as:

If running on AWS EKS, you can link an IAM role to a Kubernetes service account, which your pod can use.

All of these solutions solve the same problem: They allow the Dapr runtime process (or sidecar) to retrive credentials dynamically, so that explicit credentials aren’t needed. This provides several benefits, such as automated key rotation, and avoiding having to manage secrets.

Both Kiam and Kube2IAM work by intercepting calls to the instance metadata service.

Use an instance profile when running in stand-alone mode on AWS EC2

If running Dapr directly on an AWS EC2 instance in stand-alone mode, you can use instance profiles.

  1. Configure an IAM role.
  2. Attach it to the instance profile for the ec2 instance.

Dapr then authenticates to AWS without specifying credentials in the Dapr component manifest.

Authenticate to AWS when running dapr locally in stand-alone mode

When running Dapr (or the Dapr runtime directly) in stand-alone mode, you can inject environment variables into the process, like the following example:

  1. FOO=bar daprd --app-id myapp

If you have configured named AWS profiles locally, you can tell Dapr (or the Dapr runtime) which profile to use by specifying the “AWS_PROFILE” environment variable:

  1. AWS_PROFILE=myprofile dapr run...

or

  1. AWS_PROFILE=myprofile daprd...

You can use any of the supported environment variables to configure Dapr in this manner.

On Windows, the environment variable needs to be set before starting the dapr or daprd command, doing it inline (like in Linux/MacOS) is not supported.

Authenticate to AWS if using AWS SSO based profiles

If you authenticate to AWS using AWS SSO, some AWS SDKs (including the Go SDK) don’t yet support this natively. There are several utilities you can use to “bridge the gap” between AWS SSO-based credentials and “legacy” credentials, such as:

If using AwsHelper, start Dapr like this:

  1. AWS_PROFILE=myprofile awshelper dapr run...

or

  1. AWS_PROFILE=myprofile awshelper daprd...

On Windows, the environment variable needs to be set before starting the awshelper command, doing it inline (like in Linxu/MacOS) is not supported.

Next steps

Refer to AWS component specs >>

For more information, see how the AWS SDK (which Dapr uses) handles credentials.

Last modified October 12, 2023: Update config.toml (#3826) (0ffc2e7)