Can't use IAM role with aws s3, only users with key.

Question

Can't use IAM role with aws s3, only users with key.

nirradi opened this issue 7 years ago · 6 comments

Hi Graham, love this package, good work!

It is missing something - the option to not pass key/secret to the s3 config. This would work when you assign an IAM role to an EC2 instance for bucket permissions instead of using the key/secret of a user. This is the recommended approach when building applications over amazon ec2.

Right now, inside the AwsS3Connector class, you throw an exception if key or secret are unset, but actually you should simply not add the "credentials" field to the auth object in this case.

What do you think?

Answer 1 · 2017-11-10T16:50:38.000Z

Could you release a new version with this update included?

Answer 2 · 2017-11-11T12:10:33.000Z

Yes. I will do soon. :)

Answer 3 · 2018-01-08T03:45:20.000Z

It is missing something - the option to not pass key/secret to the s3 config. This would work when you assign an IAM role to an EC2 instance for bucket permissions instead of using the key/secret of a user. This is the recommended approach when building applications over amazon ec2.

any update on this?

I assume this will apply for the ~/.aws/credentials file also.

Answer 4 · 2018-02-27T10:41:40.000Z

Based on S3 SDK Docs.

Below will search for multiple places for the credentials. First then the environment variables and lastly the roles. You can also split these out.

            try {
               /*
                * Create a default credential provider that first checks for environment
                * variables, then checks for the "default" profile in ~/.aws/credentials,
                * then checks for "profile default" profile in ~/.aws/config (which is
                * the default profile of AWS CLI), then tries to make a GET Request to
                * fetch credentials if Ecs environment variable is presented, and finally
                * checks for EC2 instance profile credentials.
                */
                $provider = CredentialProvider::defaultProvider(); 
                // Wrap the actual provider in a memoize function. (Caching = better performance)
                $memProvider = CredentialProvider::memoize($provider);

                // Pass the provider into the Sdk class and share the provider
                // across multiple clients. Each time a new client is constructed,
                // it will use the previously returned credentials as long as
                // they have not yet expired.
                $sdk = new \Aws\Sdk(['credentials' => $memProvider]);

                $S3CLIENT = $sdk->createS3(['region' => 'eu-west-1', 'version' => 'latest']);
                // $EC2CLIENT = $sdk->createEc2(['region' => 'eu-west-1', 'version' => 'latest']);
            } catch (\Aws\Exception\CredentialsException $e) {
                return $e;
            }

Answer 5 · 2018-05-02T13:31:51.000Z

The changelog suggests Ec2 Instance Profile Support was added back in;

3.0.3 - 2015-09-18

Added support for configuring credentials with environmental variables, a ini
file at ~/.aws/credentials, or with Ec2 instance profiles instead of
requiring their inclusion in the aws.php config file.

Answer 6 · 2018-05-03T07:07:53.000Z

We will never support those files, because there is a one to many driver relation, not at most one S3 connection, so that file makes no sense.