Uploading To S3 Bucket Using Missing SessionToken In AWS SDK For .NET

- 1 answer

I'm following this tutorial on uploading files to the AWS S3 bucket.

The author is using AppConfiguration for configuring AWS:

public class AppConfiguration : IAppConfiguration
    // Keep the following details in appsettings.config file or DB or Enivironment variable
    // Get those values from it and assign to the below varibales. Based on the approach , modify the below code.
    public AppConfiguration()
        BucketName = "";
        Region = "";
        AwsAccessKey = "";
        AwsSecretAccessKey = "";
        AwsSessionToken = "";

    public string BucketName { get; set; }
    public string Region { get; set; }
    public string AwsAccessKey { get; set; }
    public string AwsSecretAccessKey { get; set; }
    public string AwsSessionToken { get; set; }

Among others, there's a AwsSessionToken property which I don't know how to retrieve/generate.

How can I retrieve a session token?



TLDR: use the shared AWS credentials file & delete all code related to credentials within your application including the credentials themselves as they are a security risk.

Never, ever, ever, ever, ever, ever, ever, ever, ever store credentials within application files.

Here is what the AWS SDK for .NET Developer Guide issues important warnings on, for credentials:

Do NOT put literal access keys in your application files. If you do, you create a risk of accidentally exposing your credentials if, for example, you upload the project to a public repository.

Do NOT include files that contain credentials in your project area.

This is pretty much reiterated everywhere else too:

We recommend that you never add your AWS access keys directly to the client in any production files. Many developers have had their account compromised by leaked keys.

Instead, use a method of providing credentials within the default credentials provider chain for the .NET SDK to securely provide credentials to your .NET application.

It's easier and much cleaner than creating a POCO, or handling credentials within your code.

For local development, I always prefer the shared AWS credentials file, which you can create yourself or use aws configure via the AWS CLI to set it up. The AWS SDK will then automatically pick up on the credentials without you needing to specify anything within the code.

Using an AWS credentials file offers the following benefits:

  • Your projects’ credentials are stored outside of your projects, so there is no chance of accidentally committing them into version control.
  • You can define and name multiple sets of credentials in one place.
  • You can easily reuse the same credentials among projects.
  • Other AWS SDKs and tools support, this same credentials file. This allows you to reuse your credentials with other tools.

Just please don't hardcode credentials whatever you do.

FYI: session tokens are used to validate temporary AWS credentials. Your access key ID & secret access key are permanent methods of authenticating until they are deactivated/deleted, so you don't need to worry about session tokens at all.