I'm working on a Python application that I've been testing locally, and I'm looking for guidance on setting up the roles and credentials for different environments. I only need to connect to AWS S3 to upload files. Currently, I have my AWS credentials set up on my local machine using an access key and secret access key.
My app will eventually be deployed via AWS Batch, where I'll assign IAM policies to manage permissions for S3. I'm confused about how to properly configure Boto3 to use the IAM role instead of the static access key and secret access key. Should I just stick with using those keys for production, and if so, what's the best way to secure them, maybe using AWS Secrets?
3 Answers
Avoid hardcoding access keys in production. Just use `boto3.client('s3')` without specifying credentials, and Boto3 will check the necessary sources for you. In local development, keep your credentials in the `~/.aws/credentials` file, and in Batch, simply attach the IAM role with the needed S3 permissions. It’s secure and keeps your credentials out of your code!
If you're looking to implement a CI/CD flow without hardcoding credentials, LocalStack can be helpful. It simulates AWS services for local development, allowing you to build and test without actual AWS keys. Just follow their best practices to avoid using credentials locally.
You don’t have to change your code! Boto3 automatically looks for credentials in several places, like your local configuration file and the IAM role assigned to Batch. When you're developing locally, it will use your static credentials, and when it's running in AWS, it will use the IAM role credentials. So just keep things as they are and let Boto3 manage it for you!
That's a relief! Thanks for clarifying!
Not really interested in more tools that complicate things, to be honest.