Support for IAM roles
Closed this issue · 3 comments
EC2 instances can be launched with an associated IAM role that provides permissions to other AWS resources. In this case, S3 buckets. There's no need for a user to be associated with the role, so there may not be key/secret credentials readily available to write to a .s3cfg
file.
This repository could potentially work around the issue by using the SDK for node, which handles IAM-role based credentials invisibly, or could be directly configured with creds from an .s3cfg
file. This would mean adjusting tilelive-s3 requests and drop the use of the S3 REST API.
If that solution feels out-of-scope in this repository, the alternative for services that need to combine roles and tilelive-s3 is to make requests for temporary credentials and write them to .s3cfg
. The disadvantage is that AWS rotates these creds automatically, so the service will need to be smart about also rotating the .s3cfg
file.
+1 for this feature. Looks as though these lines would need to accommodate the AWS SDK
- https://github.com/mapbox/tilelive-s3/blob/master/lib/index.js#L57-L70
- https://github.com/mapbox/tilelive-s3/blob/master/lib/index.js#L254-L349
Is there any reason to continue using a config file and not IAM roles?
Yes, the amount of overhead added for STS by aws-sdk
is currently not well known in high throughput situations. Making the change is easy but determining whether it will perform well will take some work.