AWS SDK Configuration with Environmental Variables & Dependency Injection .NET Core

Question

I am having trouble getting the AWS Setup Extension to process environment variables.

Following instructions on the AWS Docs + Unofficial Docs.

In my StartUp file, I add the following config and services.

 services.AddDefaultAWSOptions(root.GetAWSOptions());
 services.AddAWSService<IAmazonDynamoDB>();

My configuration includes a JSON file with AWS settings and also environmental variables.

    public static IConfigurationRoot Configuration  => new ConfigurationBuilder()
    .SetBasePath(Directory.GetCurrentDirectory())
    .AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
    .AddEnvironmentVariables()
    .Build();

According to the following diagram and the Unofficial Docs. AWS Setup should attempt to configure credentials from environmental variables failing higher priority options.

However, I have found it is able to import an AWS profile but not the environmental variables.

I've been investigating in the following repo under the console app if anyone cared to reproduce. https://github.com/aws/aws-sdk-net/issues/1717

Answer 1

Putting this out there in case it helps others. I was struggling to run some .Net code that uses the AWS SDK. I couldn't find where credentials were being pulled from on my Windows computer. I renamed my local credentials file and set the typical env vars but my app still was pulling credentials from somewhere else.

I used this command in my code to show the credentials:

    var credentials = FallbackCredentialsFactory.GetCredentials();
    var immutableCredentials = credentials.GetCredentials();
    Console.WriteLine("Access Key: " + immutableCredentials.AccessKey);

I had not remembered ever using the SDK store, and didn't see the credentials defined there, but that "Unofficial Docs" linked in @Craig's post above with the diagram helped debug.

I used the Visual Studio AWS Explorer plugin to set the "sdk:default" user to the credentials I wanted, and it finally worked. https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/keys-profiles-credentials.html

Answer 2

I had the same issue, and I worked it out to the following:

The AWS SDK uses the [default] profile credentials before it uses the session credentials set by environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN).

The SDK does not validate the [default] profile credentials, it only cares that they exist.

After deleting the [default] profile from the credentials file, the SDK used the environment variables as I originally expected.

The credentials file is usually located at "~/.aws/credentials".

AWS SDK for .NET credential and profile resolution:
https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html

Answer 3

I have resorted to the following workaround. It's fine but it would be good to know if the documentation is incorrect for .NET Core or if I@m doing something wrong.

            services.AddSingleton<IAmazonDynamoDB>(sp =>
            {
                var clientConfig = root.GetAWSOptions();
                var credentials = new BasicAWSCredentials(
                    System.Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"),
                    System.Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY")); // default credentials no need real one                    
                return new AmazonDynamoDBClient(credentials, clientConfig.Region );
            });