Authenticating to AWS
Information about authentication and configuration options for AWS
All Dapr components using various AWS services (DynamoDB, SQS, S3, etc) use a standardized set of attributes for configuration via the AWS SDK. Learn more about how the AWS SDK handles credentials.
Since you can configure the AWS SDK using the default provider chain, all of the following attributes are optional. Test the component configuration and inspect the log output from the Dapr runtime to ensure that components initialize correctly.
Attribute | Description |
---|---|
region | Which AWS region to connect to. In some situations (when running Dapr in self-hosted mode, for example), this flag can be provided by the environment variable AWS_REGION . Since Dapr sidecar injection doesn’t allow configuring environment variables on the Dapr sidecar, it is recommended to always set the region attribute in the component spec. |
endpoint | The endpoint is normally handled internally by the AWS SDK. However, in some situations it might make sense to set it locally - for example if developing against DynamoDB Local. |
accessKey | AWS Access key id. |
secretKey | AWS Secret access key. Use together with accessKey to explicitly specify credentials. |
sessionToken | AWS Session token. Used together with accessKey and secretKey . When using a regular IAM user’s access key and secret, a session token is normally not required. |
Important
You must not provide AWS access-key, secret-key, and tokens in the definition of the component spec you’re using:
- When running the Dapr sidecar (
daprd
) with your application on EKS (AWS Kubernetes) - If using a node/pod that has already been attached to an IAM policy defining access to AWS resources
Alternatives to explicitly specifying credentials in component manifest files
In production scenarios, it is recommended to use a solution such as:
If running on AWS EKS, you can link an IAM role to a Kubernetes service account, which your pod can use.
All of these solutions solve the same problem: They allow the Dapr runtime process (or sidecar) to retrive credentials dynamically, so that explicit credentials aren’t needed. This provides several benefits, such as automated key rotation, and avoiding having to manage secrets.
Both Kiam and Kube2IAM work by intercepting calls to the instance metadata service.
Use an instance profile when running in stand-alone mode on AWS EC2
If running Dapr directly on an AWS EC2 instance in stand-alone mode, you can use instance profiles.
- Configure an IAM role.
- Attach it to the instance profile for the ec2 instance.
Dapr then authenticates to AWS without specifying credentials in the Dapr component manifest.
Authenticate to AWS when running dapr locally in stand-alone mode
When running Dapr (or the Dapr runtime directly) in stand-alone mode, you can inject environment variables into the process, like the following example:
FOO=bar daprd --app-id myapp
If you have configured named AWS profiles locally, you can tell Dapr (or the Dapr runtime) which profile to use by specifying the “AWS_PROFILE” environment variable:
AWS_PROFILE=myprofile dapr run...
or
AWS_PROFILE=myprofile daprd...
You can use any of the supported environment variables to configure Dapr in this manner.
On Windows, the environment variable needs to be set before starting the dapr
or daprd
command, doing it inline (like in Linux/MacOS) is not supported.
Authenticate to AWS if using AWS SSO based profiles
If you authenticate to AWS using AWS SSO, some AWS SDKs (including the Go SDK) don’t yet support this natively. There are several utilities you can use to “bridge the gap” between AWS SSO-based credentials and “legacy” credentials, such as:
If using AwsHelper, start Dapr like this:
AWS_PROFILE=myprofile awshelper dapr run...
or
AWS_PROFILE=myprofile awshelper daprd...
On Windows, the environment variable needs to be set before starting the awshelper
command, doing it inline (like in Linxu/MacOS) is not supported.
Next steps
Refer to AWS component specs >>
Related links
For more information, see how the AWS SDK (which Dapr uses) handles credentials.
Last modified October 12, 2023: Update config.toml (#3826) (0ffc2e7)