ramazon-web-servicesauthenticationcloud

AWS Multifactor Authentication and shiny-server


I have a shiny-server app deployed on an ec2 AWS instance. This app uses the library aws.s3 to perform reading/writing operation to s3 bucket.

The problem is, due to company policy reasons, i should use MFA authentication on the aws IAM users.

If i add the MFA authentication to the user used in the shiny-server instance, these will fail to download/upload data to the bucket s3 (permission denied) R Code to read s3 bucket:

 Sys.setenv("AWS_ACCESS_KEY_ID" = "ACCESSKEY",
               "AWS_SECRET_ACCESS_KEY" = "SECRETACCESSKEY",
               "AWS_DEFAULT_REGION" = "REGION",
               "AWS_SESSION_TOKEN" = "")
 aws.s3::s3read_using(FUN, trim_ws = TRUE, object = "myobject")

Is there some ways to download/upload s3 files through R, i can use other methods than this one but i can't change the iam policy.


Solution

  • You can improve on your approach here. You should not be using IAM Users to access S3 from EC2 instances, so there should not be a need for 2-factor authentication in the first place.

    When accessing AWS Services, you should try to look for IAM Roles rather than IAM users, wherever possible. You can read more about different identities in the official docs here.

    Among other things, AWS IAM Roles are automatically rotated behind the scenes and you should not be required to maintain or pass in AWS users credentials anywhere. This means the credentials are short lives and that reduces the impact in case they are compromised.

    You can refer to this guide from AWS Knowledge Center for steps to get this up and running.