dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use shared docs page for aws credential info (#934) 

* Use shared docs page for aws credential info

* more text

* newline

* moved to integrations

* Links and formatting

* A few more fixes

Co-authored-by: Aaron Crawfis <Aaron.Crawfis@microsoft.com>
This commit is contained in:
Trond Hindenes 2020-11-19 20:58:57 +01:00 committed by GitHub
parent 10d4ee2822
commit c5002e846e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 132 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
daprdocs/content/en/developing-applications/integrations/authenticating/_index.md Normal file
View File

@ -0,0 +1,7 @@
---
type: docs
title: "Authenticating to services"
linkTitle: "Authenticating to services"
weight: 3000
description: "Information about authentication and configuration for various cloud providers"
---

62
daprdocs/content/en/developing-applications/integrations/authenticating/authenticating-aws.md Normal file
View File

@ -0,0 +1,62 @@
---
type: docs
title: "Authenticating to AWS"
linkTitle: "Authenticating to AWS"
weight: 10
description: "Information about authentication and configuration options for AWS"
---
All Dapr components using various AWS services (DynamoDB, SQS, S3, etc) use a standardized set of attributes for configuration, these are described below.
[This article](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials) provides a good overview of how the AWS SDK (which Dapr uses) handles credentials
None of the following attributes are required, since the AWS SDK may be configured using the default provider chain described in the link above. It's important to test the component configuration and inspect the log output from the Dapr runtime to ensure that components initialize correctly.
`region`: Which AWS region to connect to. In some situations (when running Dapr in self-hosted mode, for example) this flag can be provided by the environment variable `AWS_REGION`. Since Dapr sidecar injection doesn't allow configuring environment variables on the Dapr sidecar, it is recommended to always set the `region` attribute in the component spec.
`endpoint`: The endpoint is normally handled internally by the AWS SDK. However, in some situations it might make sense to set it locally - for example if developing against [DynamoDB Local](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.html).
`accessKey`: AWS Access key id.
`secretKey`: AWS Secret access key. Use together with `accessKey` to explicitly specify credentials.
`sessionToken`: AWS Session token. Used together with `accessKey` and `secretKey`. When using a regular IAM user's access key and secret, a session token is normally not required.
## Alternatives to explicitly specifying credentials in component manifest files
In production scenarios, it is recommended to use a solution such as [Kiam](https://github.com/uswitch/kiam) or [Kube2iam](https://github.com/jtblin/kube2iam). If running on AWS EKS, you can [link an IAM role to a Kubernetes service account](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html), which your pod can use.
All of these solutions solve the same problem: They allow the Dapr runtime process (or sidecar) to retrive credentials dynamically, so that explicit credentials aren't needed. This provides several benefits, such as automated key rotation, and avoiding having to manage secrets.
Both Kiam and Kube2IAM work by intercepting calls to the [instance metadata service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).
## Using instance role/profile when running in stand-alone mode on AWS EC2
If running Dapr directly on an AWS EC2 instance in stand-alone mode, instance profiles can be used. Simply configure an iam role and [attach it to the instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) for the ec2 instance, and Dapr should be able to authenticate to AWS without specifying credentials in the Dapr component manifest.
## Authenticating to AWS when running dapr locally in stand-alone mode
When running Dapr (or the Dapr runtime directly) in stand-alone mode, you have the option of injecting environment variables into the process like this (on Linux/MacOS:
```bash
FOO=bar daprd --app-id myapp
```
If you have [configured named AWS profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) locally , you can tell Dapr (or the Dapr runtime) which profile to use by specifying the "AWS_PROFILE" environment variable:
```bash
AWS_PROFILE=myprofile dapr run...
```
or
```bash
AWS_PROFILE=myprofile daprd...
```
You can use any of the [supported environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list) to configure Dapr in this manner.
On Windows, the environment variable needs to be set before starting the `dapr` or `daprd` command, doing it inline as shown above is not supported.
## Authenticating to AWS if using AWS SSO based profiles
If you authenticate to AWS using [AWS SSO](https://aws.amazon.com/single-sign-on/), some AWS SDKs (including the Go SDK) don't yet support this natively. There are several utilities you can use to "bridge the gap" between AWS SSO-based credentials, and "legacy" credentials, such as [AwsHelper](https://pypi.org/project/awshelper/) or [aws-sso-util](https://github.com/benkehoe/aws-sso-util).
If using AwsHelper, start Dapr like this:
```bash
AWS_PROFILE=myprofile awshelper dapr run...
```
or
```bash
AWS_PROFILE=myprofile awshelper daprd...
```
On Windows, the environment variable needs to be set before starting the `awshelper` command, doing it inline as shown above is not supported.

17
daprdocs/content/en/operations/components/setup-bindings/supported-bindings/dynamodb.md
View File

@ -6,6 +6,7 @@ description: "Detailed documentation on the AWS DynamoDB binding component"
---
## Setup Dapr component
See [Authenticating to AWS]({{< ref authenticating-aws.md >}}) for information about authentication-related attributes
```yaml
apiVersion: dapr.io/v1alpha1
@ -17,21 +18,22 @@ spec:
type: bindings.aws.dynamodb
version: v1
metadata:
- name: table
value: items
- name: region
value: us-west-2
- name: accessKey
value: *****************
- name: secretKey
value: *****************
- name: table
value: items
```
- name: sessionToken
value: *****************
- `region` is the AWS region.
- `accessKey` is the AWS access key.
- `secretKey` is the AWS secret key.
```
- `table` is the DynamoDB table name.
{{% alert title="Warning" color="warning" %}}
The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets as described [here]({{< ref component-secrets.md >}}).
{{% /alert %}}
@ -44,4 +46,5 @@ The above example uses secrets as plain strings. It is recommended to use a secr
- [Bindings building block]({{< ref bindings >}})
- [How-To: Trigger application with input binding]({{< ref howto-triggers.md >}})
- [How-To: Use bindings to interface with external resources]({{< ref howto-bindings.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Authenticating to AWS]({{< ref authenticating-aws.md >}})

23
daprdocs/content/en/operations/components/setup-bindings/supported-bindings/kinesis.md
View File

@ -8,6 +8,7 @@ description: "Detailed documentation on the AWS Kinesis binding component"
See [this](https://aws.amazon.com/kinesis/data-streams/getting-started/) for instructions on how to set up an AWS Kinesis data streams
## Setup Dapr component
See [Authenticating to AWS]({{< ref authenticating-aws.md >}}) for information about authentication-related attributes
```yaml
apiVersion: dapr.io/v1alpha1
@ -19,23 +20,22 @@ spec:
type: bindings.aws.kinesis
version: v1
metadata:
- name: region
value: AWS_REGION #replace
- name: accessKey
value: AWS_ACCESS_KEY # replace
- name: secretKey
value: AWS_SECRET_KEY #replace
- name: streamName
value: KINESIS_STREAM_NAME # Kinesis stream name
- name: consumerName
value: KINESIS_CONSUMER_NAME # Kinesis consumer name
- name: mode
value: shared # shared - Shared throughput or extended - Extended/Enhanced fanout
```
- name: region
value: AWS_REGION #replace
- name: accessKey
value: AWS_ACCESS_KEY # replace
- name: secretKey
value: AWS_SECRET_KEY #replace
- name: sessionToken
value: *****************
- `region` is the AWS region.
- `accessKey` is the AWS access key.
- `secretKey` is the AWS secret key.
```
- `mode` Accepted values: shared, extended. shared - Shared throughput, extended - Extended/Enhanced fanout methods. More details are [here](https://docs.aws.amazon.com/streams/latest/dev/building-consumers.html)
- `streamName` is the AWS Kinesis Stream Name.
- `consumerName` is the AWS Kinesis Consumer Name.
@ -53,4 +53,5 @@ The above example uses secrets as plain strings. It is recommended to use a secr
- [Bindings building block]({{< ref bindings >}})
- [How-To: Trigger application with input binding]({{< ref howto-triggers.md >}})
- [How-To: Use bindings to interface with external resources]({{< ref howto-bindings.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Authenticating to AWS]({{< ref authenticating-aws.md >}})

11
daprdocs/content/en/operations/components/setup-bindings/supported-bindings/s3.md
View File

@ -6,6 +6,7 @@ description: "Detailed documentation on the AWS S3 binding component"
---
## Setup Dapr component
See [Authenticating to AWS]({{< ref authenticating-aws.md >}}) for information about authentication-related attributes
```yaml
apiVersion: dapr.io/v1alpha1
@ -17,6 +18,8 @@ spec:
type: bindings.aws.s3
version: v1
metadata:
- name: bucket
value: mybucket
- name: region
value: us-west-2
- name: accessKey
@ -27,10 +30,7 @@ spec:
value: mybucket
```
- `region` is the AWS region.
- `accessKey` is the AWS access key.
- `secretKey` is the AWS secret key.
- `table` is the name of the S3 bucket to write to.
- `bucket` is the name of the S3 bucket to write to.
{{% alert title="Warning" color="warning" %}}
The above example uses secrets as plain strings. It is recommended to use a secret store for the secrets as described [here]({{< ref component-secrets.md >}}).
@ -44,4 +44,5 @@ The above example uses secrets as plain strings. It is recommended to use a secr
- [Bindings building block]({{< ref bindings >}})
- [How-To: Trigger application with input binding]({{< ref howto-triggers.md >}})
- [How-To: Use bindings to interface with external resources]({{< ref howto-bindings.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Authenticating to AWS]({{< ref authenticating-aws.md >}})

14
daprdocs/content/en/operations/components/setup-bindings/supported-bindings/sns.md
View File

@ -6,6 +6,7 @@ description: "Detailed documentation on the AWS SNS binding component"
---
## Setup Dapr component
See [Authenticating to AWS]({{< ref authenticating-aws.md >}}) for information about authentication-related attributes
```yaml
apiVersion: dapr.io/v1alpha1
@ -17,19 +18,19 @@ spec:
type: bindings.aws.sns
version: v1
metadata:
- name: topicArn
value: mytopic
- name: region
value: us-west-2
- name: accessKey
value: *****************
- name: secretKey
value: *****************
- name: topicArn
value: mytopic
- name: sessionToken
value: *****************
```
- `region` is the AWS region.
- `accessKey` is the AWS access key.
- `secretKey` is the AWS secret key.
- `topicArn` is the SNS topic name.
{{% alert title="Warning" color="warning" %}}
@ -44,4 +45,5 @@ The above example uses secrets as plain strings. It is recommended to use a secr
- [Bindings building block]({{< ref bindings >}})
- [How-To: Trigger application with input binding]({{< ref howto-triggers.md >}})
- [How-To: Use bindings to interface with external resources]({{< ref howto-bindings.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Authenticating to AWS]({{< ref authenticating-aws.md >}})

14
daprdocs/content/en/operations/components/setup-bindings/supported-bindings/sqs.md
View File

@ -6,6 +6,7 @@ description: "Detailed documentation on the AWS SQS binding component"
---
## Setup Dapr component
See [Authenticating to AWS]({{< ref authenticating-aws.md >}}) for information about authentication-related attributes
```yaml
apiVersion: dapr.io/v1alpha1
@ -17,19 +18,19 @@ spec:
type: bindings.aws.sqs
version: v1
metadata:
- name: queueName
value: items
- name: region
value: us-west-2
- name: accessKey
value: *****************
- name: secretKey
value: *****************
- name: queueName
value: items
- name: sessionToken
value: *****************
```
- `region` is the AWS region.
- `accessKey` is the AWS access key.
- `secretKey` is the AWS secret key.
- `queueName` is the SQS queue name.
{{% alert title="Warning" color="warning" %}}
@ -45,4 +46,5 @@ The above example uses secrets as plain strings. It is recommended to use a secr
- [Bindings building block]({{< ref bindings >}})
- [How-To: Trigger application with input binding]({{< ref howto-triggers.md >}})
- [How-To: Use bindings to interface with external resources]({{< ref howto-bindings.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Bindings API reference]({{< ref bindings_api.md >}})
- [Authenticating to AWS]({{< ref authenticating-aws.md >}})

21
daprdocs/content/en/operations/components/setup-pubsub/supported-pubsub/setup-aws-snssqs.md
View File

@ -14,8 +14,10 @@ This article describes configuring Dapr to use AWS SNS/SQS for pub/sub on local
{{% codetab %}}
For local development the [localstack project](https://github.com/localstack/localstack) is used to integrate AWS SNS/SQS. Follow the instructions [here](https://github.com/localstack/localstack#installing) to install the localstack CLI.
In order to use localstack with your pubsub binding, you need to provide the `awsEndpoint` configuration
in the component metadata. The `awsEndpoint` is unncessary when running against production AWS.
In order to use localstack with your pubsub binding, you need to provide the `endpoint` configuration
in the component metadata. The `endpoint` is unncessary when running against production AWS.
See [Authenticating to AWS]({{< ref authenticating-aws.md >}}) for information about authentication-related attributes
```yaml
apiVersion: dapr.io/v1alpha1
@ -26,7 +28,7 @@ spec:
type: pubsub.snssqs
version: v1
metadata:
- name: awsEndpoint
- name: endpoint
value: http://localhost:4566
# Use us-east-1 for localstack
- name: awsRegion
@ -37,7 +39,7 @@ spec:
{{% codetab %}}
To run localstack on Kubernetes, you can apply the configuration below. Localstack is then
reachable at the DNS name `http://localstack.default.svc.cluster.local:4566`
(assuming this was applied to the default namespace) and this should be used as the `awsEndpoint`
(assuming this was applied to the default namespace) and this should be used as the `endpoint`
```yaml
apiVersion: apps/v1
kind: Deployment
@ -105,15 +107,15 @@ spec:
version: v1
metadata:
# ID of the AWS account with appropriate permissions to SNS and SQS
- name: awsAccountID
value: <AWS account ID>
- name: accessKey
value: **********
# Secret for the AWS user
- name: awsSecret
value: <AWS secret>
- name: secretKey
value: **********
# The AWS region you want to operate in.
# See this page for valid regions: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
# Make sure that SNS and SQS are available in that region.
- name: awsRegion
- name: region
value: us-east-1
```
@ -130,3 +132,4 @@ Visit [this guide]({{< ref "howto-publish-subscribe.md#step-2-publish-a-topic" >
- [AWS SQS as subscriber to SNS](https://docs.aws.amazon.com/sns/latest/dg/sns-sqs-as-subscriber.html)
- [AWS SNS API refernce](https://docs.aws.amazon.com/sns/latest/api/Welcome.html)
- [AWS SQS API refernce](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/Welcome.html)
- [Authenticating to AWS]({{< ref authenticating-aws.md >}})

12
daprdocs/content/en/operations/components/setup-secret-store/supported-secret-stores/aws-secret-manager.md
View File

@ -10,6 +10,7 @@ description: Detailed information on the decret store component
Setup AWS Secrets Manager using the AWS documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html.
## Create the Dapr component
See [Authenticating to AWS]({{< ref authenticating-aws.md >}}) for information about authentication-related attributes
```yaml
apiVersion: dapr.io/v1alpha1
@ -22,12 +23,12 @@ spec:
version: v1
metadata:
- name: region
value: [aws_region] # Required.
- name: accessKey # Required.
value: "[aws_region]"
- name: accessKey
value: "[aws_access_key]"
- name: secretKey # Required.
- name: secretKey
value: "[aws_secret_key]"
- name: sessionToken # Required.
- name: sessionToken
value: "[aws_session_token]"
```
@ -68,4 +69,5 @@ The above example uses secrets as plain strings. It is recommended to use a loca
- [Secrets building block]({{< ref secrets >}})
- [How-To: Retreive a secret]({{< ref "howto-secrets.md" >}})
- [How-To: Reference secrets in Dapr components]({{< ref component-secrets.md >}})
- [Secrets API reference]({{< ref secrets_api.md >}})
- [Secrets API reference]({{< ref secrets_api.md >}})
- [Authenticating to AWS]({{< ref authenticating-aws.md >}})