Using IAM in development environments
To streamline development and testing activities, users can get their own credentials in the form of an access key ID and secret access key for sandbox and development environments. You can store your access key ID and secret access key in the credentials file in your user profile. Your .NET Framework applications use this profile to locally develop and test the applications that access AWS services.
Best practices for managing user credentials
-
Do not share the credentials with anyone.
-
Assign the minimum required permissions (least privilege) to developers.
-
Use this approach only for development purposes in lower environments such as sandbox or development.
-
Rotate keys periodically.
-
Audit credentials frequently.
-
Enable multi-factor authentication (MFA).
Prerequisites for using IAM in your development environment
-
An active AWS account
-
Microsoft Visual Studio
, installed -
AWS Command Line Interface (AWS CLI) version 2, installed and configured to access your AWS account (see instructions)
-
AWS Toolkit for Visual Studio, configured (see instructions)
Configuring credentials by using the AWS CLI
You can use the AWS CLI to configure your profile with your AWS access key ID and secret access key credentials. At the command prompt, run the following commands. Replace the sample values with your personal details.
aws configure AWS Access Key ID [None]: xxxxxxxxxxxxxxxx AWS Secret Access Key [None]: xxxxxxxxxxxxxxxxxxxxxxxxx Default region name [None]: <specify region name> Default output format [None]: json
Accessing development environments
The best practice for accessing development environments is to manage users in a
centralized account and enable MFA. Users can assume IAM roles to access other
AWS accounts. When you run .NET Framework applications by using a profile that specifies
an IAM role, Visual Studio uses the source profile's credentials to call AWS Security Token Service (AWS STS)
and request temporary credentials for the specified role. The user in the source profile
must have permissions to call sts:assume-role
for the role in the specified
profile. The role must have a trust relationship that allows the user in the source profile
to use the role. The process of retrieving and then using temporary credentials for a role
is often called assuming the role. For information about using an IAM
role to access other AWS development or sandbox accounts, see the AWS CLI
documentation. You can then use the AWS development or sandbox accounts to
develop and test .NET Framework solutions from Visual Studio or by using .NET command-line
interface (CLI) commands.