Configuring IAM Roles for Retrieving API Keys on Amazon EC2 | DOP-C01 Exam Prep

Retrieve API Keys for AWS SDKs on Amazon EC2 | DOP-C01 Exam Prep

Prev Question Next Question

Question

You have an application running on an Amazon EC2 instance and you are using IAM roles to securely access AWS Service APIs.

How can you configure your application running on that instance to retrieve the API keys for use with the AWS SDKs?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

IAM roles are designed so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use.

Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles.

For more information on IAM roles for EC2, please refer to the below link:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

Sure, I can explain each of the answer options and provide a detailed explanation of the correct answer.

A. When assigning an EC2 IAM role to your instance in the console, in the “Chosen SDK” drop-down list, select the SDK that you are using, and the instance will configure the correct SDK on launch with the API keys.

This answer option is incorrect because there is no "Chosen SDK" drop-down list in the console when assigning an EC2 IAM role. When assigning an IAM role to an EC2 instance, you specify the IAM role in the instance launch configuration or when launching an instance. You cannot specify the SDK to use or provide API keys during instance launch.

B. Within your application code, make a GET request to the IAM Service API to retrieve credentials for your user.

This answer option is incorrect because there is no IAM Service API endpoint that returns API keys. The IAM Service API is used to manage IAM users, groups, roles, policies, and credentials. You cannot use the IAM Service API to retrieve API keys for an IAM role attached to an EC2 instance.

C. When using AWS SDKs in Amazon EC2 instances, you do not have to explicitly retrieve API keys. The SDKs assume the IAM roles attached in the instances and get temporary credentials by interacting with the AWS STS service.

This answer option is correct. When an IAM role is attached to an EC2 instance, the AWS SDKs automatically assume the IAM role and obtain temporary credentials to access AWS services. The SDKs interact with the AWS Security Token Service (STS) to obtain temporary credentials, which are valid for a limited time and automatically refreshed by the SDKs.

D. Within your application code, configure the AWS SDK to get the API keys from environment variables, because assigning an Amazon EC2 role stores keys in environment variables on launch.

This answer option is incorrect because IAM roles do not provide API keys that can be retrieved from environment variables. IAM roles provide temporary credentials that are obtained by the AWS SDKs using the AWS STS service. You can configure the AWS SDKs to use environment variables to specify the region, endpoint, and other settings, but not to obtain temporary credentials for IAM roles attached to EC2 instances.

In summary, the correct answer to the question is C: When using AWS SDKs in Amazon EC2 instances, you do not have to explicitly retrieve API keys. The SDKs assume the IAM roles attached in the instances and get temporary credentials by interacting with the AWS STS service.