[Feature] Support IAM Instance Roles when Appsmith is hosted in AWS

[mohanarpit]

Summary

Some users prefer to use IAM Instance Roles instead of using ACCESS_KEY & SECRET_KEY when accessing AWS services. This ensures that the keys are constantly getting rotated and also avoids having to expose these keys to any particular service running on the particular instance.

Integrations where this is needed: DynamoDB, S3, SMTP (to use SES). Stretch: RDS databases, and Redis (when using Elasticache).

[Nikhil-Nandagopal]

Another use has requested for this

[yatinappsmith]

One more user has requested this feature. https://discord.com/channels/725602949748752515/760761686549463060/935331755978809454

[sharat87]

Another request for this to talk to SES via instance profile. https://discord.com/channels/725602949748752515/760761686549463060/958335927971872790

[mik3h0]

Hi,

I'm currently considering Appsmith for my organization's needs however the lack of this feature is likely to be a blocker for us.

Ideally we'd like to be able to use an IAM role from appsmith cloud (if you're not hosted on AWS this is still possible via AssumeRoleWithWebIdentity/OIDC, which is how we do it in Github Actions).

We would definitely be open to running Appsmith containers in our AWS account (probably ECS/Fargate, not ECS/EC2) but we'd much rather pay for the hosted version.

Another way to approach this could be to allow the use of an AWS CLI profile. Users could then add a config file themselves to point credential_source to Ec2InstanceMetadata or EcsContainer as required (not the cleanest approach, but very flexible and has saved my bacon with Terraform a bunch of times 😉)

[praneetloke]

It looks like the plugins might be using the official AWS Java SDK which supports looking up credentials automatically. Maybe I am missing something but you might just need to make the access key ID/secret key as optional inputs for the datasource configuration form and making sure that the AWS client instances are created without any explicit credentials to let the SDK determine the best way to get them from the environment. If the user has provided the access key ID and the secret key, then you should use those as you are today. Note that this sort of credential lookup is only possible with the AWS themselves not for AWS-compatible services provided by other vendors like Minio etc. So there should be some logic to allow the user to simply skip providing the access key ID and secret key only for AWS' own services.

See the AWS Java SDK docs for more info.

If you ever support other large cloud providers' (Azure, GCP) services in the future, they, too, support such a mechanism for authenticating with their services. So it's something to keep in mind.

[felix-appsmith]

Another request for this from Intercom: https://app.frontapp.com/open/cnv_vws7v7w?key=ZSAcPSYm1jC-zNGp-TdOcFaeakmnQPbZ

[LooVV]

• 1 for the feature. My company wants to use the tool, ideally sharing as less credentials as possible.

From my experience, implementing it on top of AWS SDK is fairly easy, but will be an important security improvement.

[baender]

I agree with the other users. We would like to use Appsmith but also make use of IAM roles rather than using credentials

[antonmaeso]

This is also a blocker for us.

[sumitsum]

Related document.

[geekyme-fsmk]

+1 for this. More regulated companies may mandate usage of IAM roles over IAM users.

[yujiniii]

I hope this feature will be supported as soon as possible. 🥲💪🏻

[mattiasavelin]

+1 for this! We're running on Google Cloud and it would be really awesome to be able to use IAM service accounts for auth rather than a static API-key. 👍