EC2 Instance Metadata OR AWS STS for API Authentication? security best practice

2
votes

Here is the use case. I have an EC2 instance running the ServiceNow mid-server agent. EC2 instance has IAM_Role attached called "TestIAMRole" and assume role policy is attached to the role. I use this EC2 instance and ServiceNow mid-server agent to invoke VPC endpoints using AWS boto3 endpoints. Python script will generate an authentication token using boto3 SDK and invoke the endpoint.

Python Example:

    import boto3
    client = boto3.client('sts')
    repsonse = client.assume_role(RoleArn='<IAM ROle ARN>',RoleSessionName='AssumeROle01')
    credentials=repsonse['Credentials']

Then using Python request, we call VPC endpoints and it works fine.

Since We are running an agent on EC2 instance, we thought of another approach to use EC2 instance metadata using local https endpoint using curl, it gives back access_key, secret_key, and session_token

http://169.254.169.254/latest/meta-data/iam/security-credentials/TestIAMRole

So, we are looking for expert opinion on what is the most secure / recommended from the above two options.

Also, a few questions on optimization

  1. If we use assume role STS method to retrieve credentials then is it recommended to store those in cache/app till expiry date-time so we can reuse them or should we get new sts credentials every time we make a call to other AWS services? Just trying to save additional STS call each time we invoke AWS service.
  2. if storing in cache or app is the option, then we can store the key in ServiceNow securely (encrypted format) and can update regularly before expiry date-time.

Please advise if this is the right way.

2
amazon-web-servicesamazon-ec2aws-api-gatewayamazon-vpcaws-sts
second one is not assuming the role i think.Lamanus

2 Answers

1
votes

They're almost the same thing.

When you call boto3.client('sts'), it looks in several places for credentials. One of these is the instance metadata.

You could retrieve the instance metadata, extract the credentials from it, and then create the client with those credentials. Not only would this be more work for you, but the credentials that you retrieved would be time-limited: at some point they'd expire, and you'd have to go through the process again. The Boto client is smart enough to do that for you.

As for assuming a different role, as you show in your question, the instance metadata won't help you with that. You can only retrieve credentials for the role (instance profile) attached to the EC2 instance.

1
votes

The instance metadata endpoint is used for IAM roles, using an IAM role to grant your permissions to the EC2 instance is the preferred approach.

There are circumstances where you would need to assume a role these are detailed below:

  • When accessing APIs for a different AWS account (services that support resource policies allow referencing of cross account permissions which you do not need STS for).
  • When assuming a permission that your application generally should not have access to (a limited time task).
  • As an IAM users to switch between accounts (such as in an organization).

These are generalisations so I am sure there are other niche cases when this is required, however assuming everything is in the same account I would suggest sticking to just the instance role.