Re: Hide AWS KEYID and Secret when using Proc S3

McDiddles · Posted 11-12-2020 08:57 AM

Greetings,

I a SAS Viya 3.5 environment and need end users to use Proc s3 with key and secret. However I do not want the users to actually see the values of the ID and secret. whether you use a custom config file or configure the AWS cli. I will still need to grant users read access to the files.

this means with a simple filename statement, users will be able to see the credentials to S3 and I don't want that.

How is I secure these(hide them from end users) credentials and still have proc s3 read and use the files.

SASKiwi · Posted 11-12-2020 01:55 PM

Please post an example of the issue, including the FILENAME and PROC S3 code.

McDiddles · Posted 11-13-2020 04:00 AM

Step 1: configured AWS CLi on host.
which creates the config and credentiala file in /home/username/.aws/
the credential file contains the access KeyId and Secret which I don't want user to see

Step 2: run proc s3 which used those credentials to list a bucket and perform other operations;

Proc s3;
list "bucket-name";
run;

Step 3: This step is what I don't want users to be able to do but I cannot remove read permission on the credentials file;
filename secrets "/home/didie.muyco/.aws/credentials";
proc import datafile=secrets out=credentials dbms=dlm;
run;

The above import exports the credentials into SAS and end users can see it 😞

How can I work around this?

KS4NCS · Posted 12-02-2020 08:15 AM

Hi
Which SAS release are you on?Possible to use IAM Roles?
Seem SAS has implemented it in the newer release.
https://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.5&docsetId=proc&docsetTarget=n1volod...
As i understand early of this year i still not able to use the IAM Roles.
Hope this help.

SASKiwi · Posted 12-02-2020 02:15 PM

Have you raised this with SAS Tech Support? You'll get a quicker answer that way.