ingenieux/beanstalker

Support for IAM Instance profile credentials

jwilmoth opened this issue · 6 comments

I'd like to propose adding support for AWS IAM instance profile based credentials in addition to the options captured on http://beanstalker.ingenieux.com.br/beanstalk-maven-plugin/security.html. (i.e. using http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/InstanceProfileCredentialsProvider.html). This could be as simple as adding a backstop to attempt to instantiate a InstanceProfileCredentialsProvider in the AbstractAWSMojo.getAWSCredentials() method implementation if the existing mechanism aren't set. This could also be explicitly controlled with a common property.

Sure, I'm open to pull requests.

Start with this and perhaps this

Thank you

I submitted a pull request to get credentials using ProfileCredentialsProvider. InstanceProfile is only valid if you are running within AWS, wont work if you are trying to test locally. probably need both in there

Sure, I merged.

Actually, IAM Profiles (the ones for EC2) are interesting to revisit, since build slaves on AWS are quite common nowadays.

I was able to run this and unfortunately I think the use of the ProfileCredentialProvider needs some additional checks. Running on an AWS EC2 instance where only the IAM instance profile is expected to be present I get the following error:

Caused by: java.lang.IllegalArgumentException: AWS credential profiles file not found in the given path: /home/rzttib/.aws/credentials
10:11:34 at com.amazonaws.auth.profile.internal.ProfilesConfigFileLoader.loadProfiles(ProfilesConfigFileLoader.java:45)
10:11:34 at com.amazonaws.auth.profile.ProfilesConfigFile.loadProfiles(ProfilesConfigFile.java:194)
10:11:34 at com.amazonaws.auth.profile.ProfilesConfigFile.(ProfilesConfigFile.java:119)
10:11:34 at com.amazonaws.auth.profile.ProfilesConfigFile.(ProfilesConfigFile.java:93)
10:11:34 at com.amazonaws.auth.profile.ProfileCredentialsProvider.getCredentials(ProfileCredentialsProvider.java:149)
10:11:34 at br.com.ingenieux.mojo.aws.AbstractAWSMojo.getProfileEntry(AbstractAWSMojo.java:216)
10:11:34 at br.com.ingenieux.mojo.aws.AbstractAWSMojo.getAWSCredentials(AbstractAWSMojo.java:183)
10:11:34 at br.com.ingenieux.mojo.aws.AbstractAWSMojo.setupService(AbstractAWSMojo.java:374)

@jwilmoth, I decided to opt for the SDK's official stance. See if the latest changes make sense to you

Thank you

@aldrinleal Yep. The credential chain looks like just the thing that's needed.