AWS .Net SDK specifies several ways to specify credentials. One of them is SDK store - http://docs.aws.amazon.com/AWSSdkDocsNET/V3/DeveloperGuide/net-dg-config-creds.html#net-dg-config-creds-sdk-store
In that same document two seemingly contradictory things are written:
"SDK Store profiles are specific to a particular user on a particular host. They cannot be copied to other hosts or other users. For this reason, SDK Store profiles cannot be used in production applications."
"The associated credentials are incorporated into the application during the build process."
IF the credentials are incorporated in the program at the build time, then why can't I use the SDK store method in production environment?
That leaves me with either storing credentials in .config files, or credentials files, or using roles.
答案 0 :(得分:2)
为了澄清,文档说明如果您只使用SDK商店,则不能只是拿起您的应用程序并将其移动到任何其他机器,同时期望它按原样工作。如果您使用的是配置文件名称,那么您的应用程序将引用本地SDK存储中的配置文件名称(或者,如果不这样,则是其他AWS资源(如AWS CLI)使用的凭据文件)。
例如,如果您在个人计算机上创建了名为dev-Amit的配置文件,然后转移到生产中的另一台计算机,那么除非您已经配置了SDK存储,否则dev-Amit将不存在在具有相同配置文件名称的该计算机上。
此行为与在EC2 using temporary credentials via IAM Roles中传递凭据的建议做法相反。使用此方法,您可以通过简单地将IAM角色附加到具有足够权限的实例来将证书传递到EC2实例上的应用程序,以执行您的应用程序需要执行的任何操作。首选此方法是因为您不必登录实例来配置任何内容;您只需在创建时附加IAM角色。
更多资源: