Authenticating to AWS

    All Dapr components using various AWS services (DynamoDB, SQS, S3, etc) use a standardized set of attributes for configuration, these are described below.

    This article provides a good overview of how the AWS SDK (which Dapr uses) handles credentials

    None of the following attributes are required, since the AWS SDK may be configured using the default provider chain described in the link above. It’s important to test the component configuration and inspect the log output from the Dapr runtime to ensure that components initialize correctly.

    • : Which AWS region to connect to. In some situations (when running Dapr in self-hosted mode, for example) this flag can be provided by the environment variable AWS_REGION. Since Dapr sidecar injection doesn’t allow configuring environment variables on the Dapr sidecar, it is recommended to always set the region attribute in the component spec.
    • : AWS Access key id.
    • secretKey: AWS Secret access key. Use together with accessKey to explicitly specify credentials.

    In production scenarios, it is recommended to use a solution such as or Kube2iam. If running on AWS EKS, you can , which your pod can use.

    All of these solutions solve the same problem: They allow the Dapr runtime process (or sidecar) to retrive credentials dynamically, so that explicit credentials aren’t needed. This provides several benefits, such as automated key rotation, and avoiding having to manage secrets.

    If running Dapr directly on an AWS EC2 instance in stand-alone mode, instance profiles can be used. Simply configure an iam role and attach it to the instance profile for the ec2 instance, and Dapr should be able to authenticate to AWS without specifying credentials in the Dapr component manifest.

    When running Dapr (or the Dapr runtime directly) in stand-alone mode, you have the option of injecting environment variables into the process like this (on Linux/MacOS:

    If you have locally , you can tell Dapr (or the Dapr runtime) which profile to use by specifying the “AWS_PROFILE” environment variable:

    or

    You can use any of the supported environment variables to configure Dapr in this manner.

    If you authenticate to AWS using , some AWS SDKs (including the Go SDK) don’t yet support this natively. There are several utilities you can use to “bridge the gap” between AWS SSO-based credentials, and “legacy” credentials, such as AwsHelper or .

    If using AwsHelper, start Dapr like this:

    or

    On Windows, the environment variable needs to be set before starting the command, doing it inline as shown above is not supported.