Two basic questions

[Joe Hohertz]

1) If I have an IAM role provisioning access to S3 for the instances running exhibitor, do I need to specify --s3credientials still? Or does Exhibitor know to look to  http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM_ROLE_NAME> ?

2) Can the S3 config and backup share a bucket, or should these be kept split up?

Thanks for any insights those of you with more experience can share.

--Joe

[Jordan Zimmerman]

Yes, IAM is supported. Just don’t specify —s3credentials and the default AWSClient constructor is used:

    public AmazonS3Client() {

        this(new AWSCredentialsProviderChain(

                new EnvironmentVariableCredentialsProvider(),

                new SystemPropertiesCredentialsProvider(),

                new InstanceProfileCredentialsProvider()) {

2) Can the S3 config and backup share a bucket, or should these be kept split up?

I’m pretty sure you can use the same bucket. I can’t think of a reason why not.

-JZ

--
You received this message because you are subscribed to the Google Groups "exhibitor-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to exhibitor-use...@googlegroups.com.
To post to this group, send email to exhibit...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/exhibitor-users/926fc2d1-7fcd-498e-a62f-b82f255488fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Joe Hohertz]

Thank you for clarifying, I was looking through the source but how it was chained to fall back to instance credentials wasn't jumping at me, but you've illustrated this nicely here.

Thanks again.

[Jordan Zimmerman]

My (also a programmer) accuses my of writing loopy code that’s impossible to follow. Just a long series of indirections. Mea culpa.

To view this discussion on the web visit https://groups.google.com/d/msgid/exhibitor-users/9d485dea-d29e-44ca-864f-9b8f8653acf6%40googlegroups.com.

[Dillian Murphey]

How is the IAM role used though?  Is that automatic?  I can see my iam role from the EC2 metadata from the command like (curl the 169... address), but it doesn't appear to be working.

If there is no setup needed then I'll look closer at my role.

[Dillian Murphey]

:(, wish there was more activity here.  But let me finish answering my own question.

Using a IAM Role, Exhibitor handles the S3 authentication automatically if your Role is there.

Same with aws tools too, if you have the Role set on the instance, you don't need to configure the aws creds.

[Jordan Zimmerman]

I think there’s reasonable activity given the size of the project. I try to answer every email that isn’t answered by someone else. Sorry, if I didn’t answer sooner. 

>How is the IAM role used though?  Is that automatic?  

>I can see my iam role from the EC2 metadata from the command like (curl the 169... address), but it doesn't appear to be working.

It’s not at all clear in the docs. But, if you want IAM, don’t set any S3 credentials. When that happens, Exhibitor uses the default AmazonS3Client which supports IAM, etc.

-JZ

--
You received this message because you are subscribed to the Google Groups "exhibitor-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to exhibitor-use...@googlegroups.com.
To post to this group, send email to exhibit...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/exhibitor-users/821c0e47-b613-42bc-8508-28ce63476fce%40googlegroups.com.

[Dillian Murphey]

Not at all, you do a great job!  Thank you! 

[Pritpal Singh]

Hi, According to our bucket policy we can only upload encrypeted objects to s3 bucket. Can exhibitor upload shared config to encrypted bcuket?

When i try updating shared config via Exhibitor UI, it throws following error 

"Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: EDA32F6EAB314386)"

Appreciate help!