Skip to main content

How to use IAM role for Amazon S3 related operations in SSIS / ODBC AWS Connection

ZappySys Support Team
Updated

If you are using ZappySys SSIS Amazon Storage Task to perform various S3 / DynamoDB or Redshift-related options, then you can use the IAM Role option or use the default credentials of the User profile (Set via AWS Command Line or SDK).

Preparing EC2 VM to assume IAM role

Here is how you can set IAM Role option in ZappySys SSIS Amazon Storage Connection Manager (S3 Storage).

  1. To use IAM Role for S3 your VM must be running as EC2 VM under AWS and it must be set to assume a specific IAM Role (Ask your AWS Admin to adjust this setting in AWS Console).
  2. If you are not sure if VM is setup to use some IAM Role then check below option in your AWS Console for EC2 VM



    For example in US East-1 Region You can go to below URL to create new IAM Role
    https://us-east-1.console.aws.amazon.com/iam/home#/roles
  3. Here are Example Permissions for new IAM Role 



    Once Role created select in your Modify IAM Role dropdown and click Update IAM Role


  4. Thats it now go to your EC2 VM (Remote Desktop) and configure Amazon S3 Connection in ODBC or SSIS App and use Default Credentials like below and click Test or browse option to invoke Dynamic Credentials Fetch. This is happening automatically behind the scene so you wont realize until you can use tool like fiddler (See next section)

    NOTE: See how it calls API for http://169.254.169.254 ... This is the service which does magic. Every EC2 VM has this service running on local box which is responsible to Map VM Role to Temporary access Key it can obtain.





  5. If you check Fiddler (Web Debugging Tool) You will see a few API calls made automatically to obtain Temp credentials for your EC2 VM (This is based on IAM Role Permission)
    ===== Call-1====

    GET http://169.254.169.254/latest/meta-data/iam/security-credentials/ 
    SomeIAMRoleforEC2

    ===== Call-2====

    GET http://169.254.169.254/latest/meta-data/iam/info

    {

    "Code" : "Success",
    "LastUpdated" : "2023-05-15T20:48:38Z",
    "InstanceProfileArn" : "arn:aws:iam::71888xxxxxxxxx:instance-profile/SomeIAMRoleforEC2",
    "InstanceProfileId" : "AIPAI3xxxxxxxxxxxxx"
    }
    ===== Call-3====

    GET http://169.254.169.254/latest/meta-data/iam/security-credentials/SomeIAMRoleforEC2

     
    {
    "Code" : "Success",
    "LastUpdated" : "2023-05-15T20:47:44Z",
    "Type" : "AWS-HMAC",
    "AccessKeyId" : "ASIA2xxxxxxxxxxxNQ",
    "SecretAccessKey" : "sDjcpxxxxxxxxxxxWqWs",
    "Token" : "IQoJb3JpZ2xxxxxxxxxxxxxxxx3TOSZT",
    "Expiration" : "2023-05-16T03:23:38Z"
    }
  6. Above AccessKeyId, SecretAccessKey and Token are automatically used by ZappySys Driver. 

SSIS AWS S3 Connection Setup Using AWS Default Credentials (Use IAM Role)

Once EC2 VM is set with a specific role when SSIS Package is executed it automatically gets a temporary access key behind the scene with specific permission. This is all automatic.

Check this article to learn how to use IAM Roles for SSIS Packages running in EC2 VM Instance (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html ) 

 

Here is some more information if you want to use IAM Role in non-EC2 VM (ZappySys doesn't support this method yet because we do not have a feature to choose Profile entry on connection manager - in future, we might add this... stay tuned!!!)  

 

amazon-aws-storage-connection-iam-role-option-ec2-vm-assumed-role.png

 

How AWS Default credential / IAM Role option works?

When you specify default credentials option here is how the system will search for credentials.

 

Credentials are searched in the following order and use the first available set

  1. Access key and secret key values that are stored in the application's App.config or Web.config file. We strongly recommend using profiles rather than storing literal credentials in your project files.

  2. If a profile is specified:

    1. The specified profile in the SDK Store.

    2. The specified profile in the credentials file.

    If no profile is specified:

    1. A profile named default in the SDK Store.
      Default credentials for SDK is stored at below location

      C:\Users\YourUserName\AppData\Local\AWSToolkit\RegisteredAccounts.json

    2. A profile named default in the credentials file.

  3. Credentials stored in the AWS_ACCESS_KEY_ID and AWS_SECRET_KEY environment variables.

  4. For applications running on an Amazon EC2 instance, credentials stored in an instance profile (For assumed IAM Role for EC2 VM - Metadata service may be called to generate Temp credentials).
    Check this article to learn how to use IAM Roles for SSIS Packages running in EC2 VM Instance (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html ) 

Support for IMDSv2 in the IAM role

From Version 5.3.0.10601, we added support for IMDSv2. You'll need to update AWS SDK to v3.7; old versions of SDK won't. Click here to check our release notes for each version

 

For more information about configuring AWS Credentials, Check the below link 

 https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html

 

Articles about Amazon S3 related tasks in SSIS

https://zappysys.com/blog/category/ssis/tasks/ssis-amazon-storage-task/

https://zappysys.com/blog/category/ssis/components/ssis-amazon-s3-csv-source/

https://zappysys.com/blog/ssis-delete-amazon-s3-file-folder-bucket/

https://zappysys.com/blog/category/ssis/components/ssis-amazon-dynamodb-source/

 

 

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk