Need More Clarity On Role Based Authentication In AWS

[DelliBabuG]

Hi,

Currently, We integrated Serilog with amazon S3 by providing awsAccessKeyId and awsSecretAccessKey and writing the logic to log the exceptions in S3 bucket. Please refer our current code.

/* S3 Log handling */
            AWSOption awsOptions = new AWSOption();
            Configuration.GetSection(nameof(AWSOption)).Bind(awsOptions);
            Log.Logger = new LoggerConfiguration().WriteTo.AmazonS3(
                        path: ".log",
                        bucketPath: Path.Combine(awsOptions.RootDirLogs, "Web"),
                        bucketName: awsOptions.BucketName,
                        endpoint: RegionEndpoint.GetBySystemName(awsOptions.EndPoint.Split(".")[1]),
                        awsAccessKeyId: awsOptions.AccessKey,
                        awsSecretAccessKey: awsOptions.SecretKey,
                        rollingInterval: RollingInterval.Minute,
                        batchSizeLimit: 100,
                        formatProvider: null)
                    .CreateLogger();
            loggerFactory.AddSerilog();

We are trying to migrate from providing direct awsAccessKeyId and awsSecretAccessKey to AWS IAM User Role-based authentication. For that, we have the "ARNKey" with us. But the temp awsAccessKeyId and awsSecretAccessKey generated by "ARNKey" will be the temp keys, they will be expired in 15 to 30 min.

"ARNKey" based current code (This can be wrong, The access key and secret key will be expired in 15 to 30min)

/* S3 Log handling */
            AWSOption awsOptions = new AWSOption();
            Configuration.GetSection(nameof(AWSOption)).Bind(awsOptions);
            AWSCredentials aWSCredentials = GetTemporaryCredentials(awsOptions.ARNKey, Convert.ToInt32(awsOptions.DurationInSeconds));
            if (aWSCredentials != null)
            {
                awsOptions.AccessKey = aWSCredentials.GetCredentials().AccessKey;
                awsOptions.SecretKey = aWSCredentials.GetCredentials().SecretKey;
                Log.Logger = new LoggerConfiguration().WriteTo.AmazonS3(
                                path: ".log",
                                bucketPath: Path.Combine(awsOptions.RootDirLogs, "Web"),
                                bucketName: awsOptions.BucketName,
                                endpoint: RegionEndpoint.GetBySystemName(awsOptions.EndPoint.Split(".")[1]),
                                awsAccessKeyId: awsOptions.AccessKey,
                                awsSecretAccessKey: awsOptions.SecretKey,
                                rollingInterval: RollingInterval.Minute,
                                batchSizeLimit: 100,
                                formatProvider: null)
                            .CreateLogger();
                loggerFactory.AddSerilog();
            }

Can you please help us to "How to integrate IAM Role "ARNKey" with Serilog in a generic manner?

Thanks in advance. @ioxFR @SeppPenner

[ioxFR]

Hi @DelliBabuG

If you passing by AWS Role Authentication based, just don't passed optional params accessid & accesskey. accesskey/secretkey is only needed when you don't use AWS Role Auth. You just need to ensure that service who execute your app got right role to interact with the S3 bucket.

I will check to update the doc to explain that if it's not clear at all.

Let me know if it's not clear.

Edit: sample is already available in the doc. Please check: https://github.com/serilog-contrib/Serilog.Sinks.AmazonS3/blob/master/HowToUse.md

You got a sample using AK/SK and one for role based auth.

Valentin

[SeppPenner]

@ioxFR Feel free to add something to the docs if you think it's useful. I honestly don't know that much about the role based auth either...

[ioxFR]

@SeppPenner Probably for some people it's maybe not clear, i will check to clarify that during next week in the doc.

@DelliBabuG Do not hesitate to come back to us if you got some issues with role based auth.

[SeppPenner]

I assume this is solved now. If not, just tell me, please.