Access Denied on Windows for AWS Credentials file

Question

No matter what I try it seems my web service cannot access my .aws/credentials file.

I always get this error:

System.UnauthorizedAccessException: Access to the path '{PATH}' is denied.

Here is what I have tried:

• Move the path from the default directory to the website root
• Change the website app pool to run as my user account
• Given Everyone full control of the folder and the file
• Verify that when I put the same key and secret into the web.config the call works
• Tried removing the region from the config
• Tried removing the path from the config

Here is my config (note if I don't provide the path, even when in the default location, it says no credentials file was found)

<add key="AWSProfileName" value="default" />
<add key="AWSRegion" value="us-east-1"/>
<add key="AWSProfilesLocation" value="{PATH}" />

In the AWS toolkit I have a `default' profile setup as well that has rights but that does not help this work.

I have even tried the legancy format called out in the AWS docs. What am I missing? It seems I have followed everything AWS calls out in their docs.

I am using Castle Windsor DI so could that be getting in the way?

container.Register(
            Component.For<IAmazonDynamoDB>()
                .ImplementedBy<AmazonDynamoDBClient>()
                .DependsOn(Dependency.OnValue<RegionEndpoint>(RegionEndpoint.USEast1))
                .LifestylePerWebRequest());

        container.Register(
            Component.For<IDynamoDBContext>()
                .ImplementedBy<DynamoDBContext>()
                .DependsOn(Dependency.OnComponent<IAmazonDynamoDB, AmazonDynamoDBClient>())
                .DependsOn(Dependency.OnValue<DynamoDBContextConfig>(
                    new DynamoDBContextConfig
                    {
                        TableNamePrefix = configurationManager.GetRequiredAppSetting<string>(Constants.Web.AppSettings.AwsDynamoDbPrefix),
                        Conversion = DynamoDBEntryConversion.V2
                    }))
                .LifestylePerWebRequest());

Answer 1

The problem that you have is that the path ~\.aws\credentials is only defined when logged in as a user.

A Windows services such as IIS is not logged in as the user that created the credentials file. Therefore the the path is not accessible to the Windows service. Actually the service does not know what user to look into. For example if your user name is john, the path would be c:\users\john\.aws\credentials. The Windows service does not know about your identity.

Note: I believe - but I am not 100% sure - is that a windows service will look in c:\.aws for credentials. I have used this path in the past but I cannot find Amazon reference documentation to support this. I no longer store credentials on my EC2 instances, so I am out of touch on the location c:\.aws.

You have a number of choices. Create the credentials as usual. Then create a directory outside of your IIS installation and setup such as c:\.aws. Copy ~\.aws to c:\.aws. Then specify the full path in your programs.

A much better and more secure method, if you are running your services on AWS, is to use IAM Role. Create a role with the desired permissions and attach the role to your EC2 instance. All AWS SDKs and Tools know how to find the credentials from AWS Metadata.

There are many more methods such as EC2 Parameter Store. Storing credentials on your instances or inside your program is not a good idea.

[Edit after thinking more about the error message]

You may have an issue where IIS does not have access rights to the location where the credentials are stored.

Open Windows Explorer and locate the folder for your credentials file. Right click this folder, select Properties and click the Security tab. From here, choose Edit then Add. The following users must be added and given at least READ permissions: IUSR & IIS_IUSRS. You may need to add "LIST FOLDER CONTENTS".