How to use IAM role for Amazon S3 related operations in SSIS / ODBC AWS Connection – ZappySys Help Center

If you are using ZappySys SSIS Amazon Storage Task to perform various S3 / DynamoDB or Redshift related options then you can use IAM Role option or use default credentials of User profile (Set via AWS Command Line or SDK).

Preparing EC2 VM to assume IAM role

Here is how you can set IAM Role option in ZappySys SSIS Amazon Storage Connection Manager (S3 Storage).

To use IAM Role for S3 your VM must be running as EC2 VM under AWS and it must be set to assume a specific IAM Role (Ask your AWS Admin to adjust this setting in AWS Console).
If you are not sure if VM is setup to use some IAM Role then check below option in your AWS Console for EC2 VM

For example in US East-1 Region You can go to below URL to create new IAM Role
https://us-east-1.console.aws.amazon.com/iam/home#/roles
Here are Example Permissions for new IAM Role

Once Role created select in your Modify IAM Role dropdown and click Update IAM Role
Thats it now go to your EC2 VM (Remote Desktop) and configure Amazon S3 Connection in ODBC or SSIS App and use Default Credentials like below and click Test or browse option to invoke Dynamic Credentials Fetch. This is happening automatically behind the scene so you wont realize until you can use tool like fiddler (See next section)

NOTE: See how it calls API for http://169.254.169.254 ... This is the service which does magic. Every EC2 VM has this service running on local box which is responsible to Map VM Role to Temporary access Key it can obtain.

If you check Fiddler (Web Debugging Tool) You will see a few API calls made automatically to obtain Temp credentials for your EC2 VM (This is based on IAM Role Permission)
===== Call-1====

GET http://169.254.169.254/latest/meta-data/iam/security-credentials/

SomeIAMRoleforEC2

===== Call-2====

GET http://169.254.169.254/latest/meta-data/iam/info

{

"Code" : "Success",
"LastUpdated" : "2023-05-15T20:48:38Z",
"InstanceProfileArn" : "arn:aws:iam::71888xxxxxxxxx:instance-profile/SomeIAMRoleforEC2",
"InstanceProfileId" : "AIPAI3xxxxxxxxxxxxx"
}

===== Call-3====

GET http://169.254.169.254/latest/meta-data/iam/security-credentials/SomeIAMRoleforEC2

{
"Code" : "Success",
"LastUpdated" : "2023-05-15T20:47:44Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIA2xxxxxxxxxxxNQ",
"SecretAccessKey" : "sDjcpxxxxxxxxxxxWqWs",
"Token" : "IQoJb3JpZ2xxxxxxxxxxxxxxxx3TOSZT",
"Expiration" : "2023-05-16T03:23:38Z"
}

Above AccessKeyId, SecretAccessKey and Token are automatically used by ZappySys Driver.

SSIS AWS S3 Connection Setup Using AWS Default Credentials (Use IAM Role)

Once EC2 VM is set with a specific role when SSIS Package is executed it automatically gets a temporary access key behind the scene with specific permission. This is all automatic.

Check this article to learn how to use IAM Roles for SSIS Packages running in EC2 VM Instance (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html )

Here is some more information if you want to use IAM Role in non-EC2 VM (ZappySys doesn't support this method yet because we do not have a feature to choose Profile entry on connection manager - in future, we might add this... stay tuned!!!)

amazon-aws-storage-connection-iam-role-option-ec2-vm-assumed-role.png

How AWS Default credential / IAM Role option works?

When you specify default credentials option here is how the system will search for credentials.

Credentials are searched in the following order and use the first available set

Access key and secret key values that are stored in the application's App.config or Web.config file. We strongly recommend using profiles rather than storing literal credentials in your project files.
If a profile is specified:
1. The specified profile in the SDK Store.
2. The specified profile in the credentials file.
If no profile is specified:
1. A profile named default in the SDK Store.
  Default credentials for SDK is stored at below location
  
  C:\Users\YourUserName\AppData\Local\AWSToolkit\RegisteredAccounts.json
2. A profile named default in the credentials file.
Credentials stored in the AWS_ACCESS_KEY_ID and AWS_SECRET_KEY environment variables.
For applications running on an Amazon EC2 instance, credentials stored in an instance profile (For assumed IAM Role for EC2 VM - Metadata service may be called to generate Temp credentials).
Check this article to learn how to use IAM Roles for SSIS Packages running in EC2 VM Instance (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html )