AWS IAM Roles for SQS

0
votes

My application hosted on EC2 instance needs to make constant connection to SQS and any loss in connection would lead to data loss. This can be successfully done using IAM user Access key and secret access key. But I want to use IAM roles for the same. IAM roles uses temporary credentials, and rotates credentials periodically. I am not sure if my application would lose connection to SQS at the time when temporary credentials are expired and rotated.

2
amazon-web-servicesamazon-ec2amazon-sqsamazon-iam
Sounds like your application architecture isn't resilient. It's very risky to rely on a this kind of architecture.. a network error or any EC2 system error would fail your system leading to data loss. I'd recommend re architecturing your app to withstand failure cases.Anuruddha

2 Answers

1
votes

The temporary credentials associated with IAM roles have an expiration, but they are refreshed before the expiration occurs. This should not cause an issue unless your application does not properly check for the updated credentials when the expiration time approaches.

But a more fundamental factor in the question is that you may be unfamiliar with the underpinnings of the SQS API.

SQS does not rely on an authenticated "connection," so there is not a single connection that you can "lose." Technically, anyone can "connect" to SQS because the connection itself isn't what's authenticated. SQS authenticates each action independently -- every long poll request, every delete message action, etc., is authenticated by the service at the time it occurs. (If authentication fails, only the individual request fails.)

As long as your code uses appropriately fresh temporary credentials for each request it makes, using IAM roles will not impact your ability to continuously interact with the service.

any loss in connection would lead to data loss

You need to retry any errors that occur. Errors can happen for any number of reasons, but because SQS is interacted with by your code over HTTPS, each interaction with the service is not reliant on a continuous connection. You can (and should, but only for performance reasons) use HTTP keep-alives, but HTTPS doesn't depend on a single connection being continuously maintained.

0
votes

Yes, you can roles easily. No need for temporary credentials.

You can use ec2 IAM role. You can create a role where you can attach permissions for SQS and the same role can be attached to ec2 where your server application is hosted.

Reference fo the same - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html