search

aws / amazon-s3-encryption-client-dotnet

An encryption client that allows you to secure your sensitive data before you send it to Amazon S3.
https://aws.github.io/amazon-s3-encryption-client-dotnet/
Apache License 2.0
15 stars 10 forks source link

Creating a new AmazonS3EncryptionClientV2 does not resolve AWS credentials as expected #8

Closed freiguy1 closed 3 years ago

freiguy1 commented 3 years ago

The title pretty much says it. Other services are much easier to create. They evaluate several rules for how to resolve credentials. Here's some code:

EncryptionMaterialsV2 materials = new EncryptionMaterialsV2(configuration["AWS_KMS_REPORT_ID"], Amazon.Extensions.S3.Encryption.Primitives.KmsType.KmsContext, new Dictionary<string, string>());
var s3Configuration = new AmazonS3CryptoConfigurationV2(SecurityProfile.V2)
{
    StorageMode = CryptoStorageMode.ObjectMetadata,
};
var s3Client = new AmazonS3EncryptionClientV2(s3Configuration, materials);

In my appsettings.Development.json, I've set these:

"AWS": {
  "Profile": "my-profile",
  "Region": "us-east-1"
},

First, the AmazonS3CryptoConfigurationV2 doesn't correctly find my region. So I have to set it like:

if (awsOptions.Region != null)
{
    s3Configuration.RegionEndpoint = awsOptions.Region;
}

The if statement is needed because environment variables are used in other environments. Only appsettings when developing locally. s3Configuration is an AWSOptions which I get from the IConfiguration.GetAWSOptions() extension method.

Next, it doesn't respect my Profile in appsettings. It uses [default] credentials. I've gotten around this by

if (!string.IsNullOrWhiteSpace(awsOptions.Profile))
{
    var sharedFile = new SharedCredentialsFile();
    CredentialProfile profile;
    sharedFile.TryGetProfile(awsOptions.Profile, out profile);
    s3Configuration.RegionEndpoint = awsOptions.Region;
    return new AmazonS3EncryptionClientV2(profile.GetAWSCredentials(null), s3Configuration, materials);
}

All of this is simply done in one line with typical services:

var s3Client = awsOptions.CreateServiceClient<IAmazonS3>();

Could you maybe just create a new constructor that takes an IAmazonS3 and wraps it? Otherwise perhaps this code could be helpful to resolve credentials.

Also, perhaps I'm just doing something completely wrong. Let me know!

freiguy1 commented 3 years ago

After looking at this repo's code a bit more, perhaps the resolution of correct credentials it out of scope. For instance the IAmazonS3 class does none of this credentials resolution. I guess the verbose code I need to set a AmazonS3EncryptionClientV2 up that works on all our environments was bothering me.

ashishdhingra commented 3 years ago

Hi @freiguy1,

Good afternoon.

Based on your latest comment above, should this issue be closed?

Thanks, Ashish

freiguy1 commented 3 years ago

I will close it, but I'd like to get some guidance about the code above being correct for instantiating a AmazonS3EncriptionClientV2 with correct credentials?