Alternatives to IAM key pairs for s3 connectors

[Michael Gutteridge]

 Hi

My org wants to end the use of key pairs for AWS access.  Our AWS accounts are integrated with SSO: that works for many applications but it's not clear how that would work for credentials for the S3 connector.

One proposed method is to use IAM instance roles (if we run DTNs in AWS) and IAM roles anywhere (for on-campus systems).  S3 also has Access Grants which look like an interesting way of mapping identities to S3 datasets.

It's not completely keyless, but I'm thinking that we can accomplish some of the goals by using the --admin-managed-credential option and having an external process rotate keys (at least there won't be stale keys lying around).  There's a fair bit of engineering in there and I'm not sure how Globus will cope with that key being rotated mid-transfer.

I'm not even sure that the S3 connector can deal with a "keyless" situation- adding the key looks to be pretty integral to creating the connection.  I suppose if we used the "--s3-unauthenticated" option we could rely on the role/privilege of the underlying DTN instance (using instance roles/IAM anywhere) for access, but then mapping to individuals gets tricky.

It feels like madness lies in every direction we'd try.  But I'm doing some due-diligence and thought I'd see if anyone else in the Globus community has explored other ways of authorizing the connection to S3.

Thanks

 - Michael