Support for IAM roles
Closed this issue · 3 comments
EC2 instances can be launched with an associated IAM role that provides permissions to other AWS resources. In this case, S3 buckets. There's no need for a user to be associated with the role, so there may not be key/secret credentials readily available to write to a .s3cfg file.
This repository could potentially work around the issue by using the SDK for node, which handles IAM-role based credentials invisibly, or could be directly configured with creds from an .s3cfg file. This would mean adjusting tilelive-s3 requests and drop the use of the S3 REST API.
If that solution feels out-of-scope in this repository, the alternative for services that need to combine roles and tilelive-s3 is to make requests for temporary credentials and write them to .s3cfg. The disadvantage is that AWS rotates these creds automatically, so the service will need to be smart about also rotating the .s3cfg file.
+1 for this feature. Looks as though these lines would need to accommodate the AWS SDK
- https://github.com/mapbox/tilelive-s3/blob/master/lib/index.js#L57-L70
- https://github.com/mapbox/tilelive-s3/blob/master/lib/index.js#L254-L349
Is there any reason to continue using a config file and not IAM roles?
Yes, the amount of overhead added for STS by aws-sdk is currently not well known in high throughput situations. Making the change is easy but determining whether it will perform well will take some work.