AWS without Access Keys

Let’s hypopulate you an app serving generative AI cat images based on the weather forecast, running on a g4dn.xlarge ECS task in AWS us-east-1. It’s going great; people didn’t realize how dependent their cat pic prefs are on barometric pressure, and

Moss Lilley
9 min readintermediate
--
View Original

Overview

The article discusses a secure method for accessing AWS resources without using access keys by leveraging OpenID Connect (OIDC) to establish trust between AWS and Fly.io. It outlines the steps to set up this integration, emphasizing the security benefits and ease of management compared to traditional IAM service accounts.

What You'll Learn

1

How to set up OIDC for AWS resource access from Fly.io

2

Why using OIDC improves security over traditional AWS access keys

3

When to use Fly.io for deploying applications that require AWS resources

Prerequisites & Requirements

  • Basic understanding of AWS IAM and OIDC concepts
  • Familiarity with Fly.io platform(optional)

Key Questions Answered

How does OIDC improve security for accessing AWS resources?
OIDC improves security by eliminating the need for static AWS access keys, which are often vulnerable to exposure. Instead, it establishes a trust relationship between AWS and Fly.io, allowing Fly Machines to obtain short-lived credentials dynamically, thus reducing the risk of credential theft.
What steps are involved in setting up OIDC with AWS?
To set up OIDC with AWS, you need to add Fly.io as an Identity Provider in AWS IAM, create a Role with access to the required resources, and set the Role ARN as an environment variable in your Fly.io application. This allows your Fly Machines to access AWS resources securely.
What is the role of AWS Security Token Service (STS) in this process?
AWS Security Token Service (STS) is responsible for issuing short-lived credentials based on OIDC tokens provided by Fly.io. When a Fly Machine presents a valid OIDC token, STS validates it and provides temporary AWS credentials, allowing secure access to AWS resources.
How does the Fly.io init process enhance security?
The Fly.io init process enhances security by generating an OIDC token for each Fly Machine at startup, which is then used to set environment variables for AWS access. This ensures that sensitive credentials are not hardcoded and are managed dynamically, reducing the risk of exposure.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Key Actionable Insights

1
Implement OIDC for AWS access to enhance security and reduce credential management overhead.
By using OIDC, you can avoid the risks associated with static AWS access keys and streamline the process of managing permissions for your applications.
2
Leverage Fly.io's capabilities to deploy applications that require AWS resources without compromising security.
This approach allows you to focus on application development while Fly.io handles the complexities of secure cloud integration.
3
Regularly review and update IAM roles and policies to ensure they align with your application's evolving needs.
Maintaining up-to-date IAM policies helps prevent unauthorized access and ensures compliance with security best practices.

Common Pitfalls

1
Failing to properly configure trust relationships between AWS and Fly.io can lead to access issues.
Ensure that the Identity Provider and Role configurations in AWS IAM are correctly set up to avoid permission denials when accessing resources.
2
Neglecting to manage the lifecycle of OIDC tokens can result in expired tokens causing application failures.
Implement monitoring and logging to track token usage and refresh tokens as needed to maintain seamless access.

Related Concepts

AWS IAM
Openid Connect
Cloud Security
Fly.io Deployment