I have a server running outside of AWS, and I wrote a small script to upload files from that server to an S3 bucket regularly. My first authentication approach was to create an IAM user, store its access key and secret on the server, and authenticate with it against AWS.
I read that AWS does not recommend long-term credentials, and one should use an IAM role instead. However, in the official documentation they are using a source profile "user1". That user then assumes the role "marketingadminrole". But how do I authenticate user1? I presume with long-term credentials? So, what is the benefit of using an assumed role?
My script runs automatically as a system service, so I cannot use SSO with another identity provider.
What is the best practice for using aws-cli, boto3, etc. and authenticate against AWS safely?
2
Answers
The key here is that you want long term access to an aws service. I think you can create an IAM user with the minimum permissions required, then generate Access Keys for that user and use this access keys from the external server to access the aws service, in this case s3. I think this is the solution with the least operation overhead.
I don’t recommend long term access keys, you should rotate them and protect them well in your server.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html?icmpid=docs_iam_console
Historically, you are correct. The typical solution was to create an IAM Role with the needed S3 permissions and then an IAM User whose sole permission was to assume the aforementioned role. In that way, the benefit was that the AWS credentials in use for the S3 operations were time-limited so if they leaked then there was a smaller window of time in which they were usable.
Now, you should consider using IAM Roles Anywhere: