Does this support AWS IAM roles?

[jrob...@springbuk.com]

Hi,

The documentation for using AWS S3 mentions that I need to specify an access_key and secret_key. Does this support using an IAM role instead? When I try using a role, and without specifying any access_key or secret_key, I'm getting an error as part of `rake assets:precompile`:

Aws::Sigv4::Errors::MissingCredentialsError: missing credentials, provide credentials with one of the following options:

  - :access_key_id and :secret_access_key

  - :credentials

  - :credentials_provider

Thanks in advance for any advice.

[Maxence M]

Hi Jrobinson,

I think precompiling is not really a Shrine issue, what I have done is setting my s3_options as follows :

s3_options = {
  bucket:            ENV["AWS_S3_BUCKET_NAME"] || Rails.application.secrets.bucket || "dummy",
  access_key_id:     ENV["AWS_ID"] || Rails.application.secrets.user_name || "dummy",
  secret_access_key: ENV["AWS_KEY"] || Rails.application.secrets.password || "dummy",
  region:            'eu-west-1',
}

If we are in production it will try grab an environment variable.

If we are in development it will grab a value in `secrets`.

Otherwise it is populated with a dummy value.

Otherwise you should have some Key/access key for each your IAM role so I don't think it is a problem ..

(I am not an advanced coder then someone may give you more insightful information)

[John Robison]

Thanks for your reply.

Using an environment variable seems like it would only work with statically defined access keys, which isn't my goal. I'd like to use an IAM role, which automatically rotates credentials and the AWS SDK can usually pick them up.

Does anyone have an example of using this with an IAM role? Specifically in the context of AWS ECS (Fargate), since that has it's own metadata service separate from EC2 metadata.

FWIW, something like `aws s3 cp /tmp/blankfile s3://...` works fine without any configuration at all, the awscli's underlying AWS SDK picks up the credentials from the role. So I know that the underlying credentials are there, I just need to get Shrine to be able to pick them up.

Thanks again for any help.

--
You received this message because you are subscribed to a topic in the Google Groups "Shrine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ruby-shrine/wBXWnarf9ME/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ruby-shrine...@googlegroups.com.
To post to this group, send email to ruby-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ruby-shrine/1b3bd22f-4491-43ef-859d-b2e921d5d876%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

John Robison

Senior DevOps Engineer
jrob...@springbuk.com
412 326 9522

Springbuk®

please note:  This transmission contains information from Springbuk, Inc. which may be confidential and/or privileged.  The information is intended to be for the exclusive use of the individual(s) or entity named above.  If you are not the intended recipient, be advised that any disclosure, copying, distribution or other use of this information is strictly prohibited.  If you receive this transmission in error, please notify me via e-mail me at the address listed above.  Thank you.

[Janko Marohnić]

Shrine::Storage::S3.new(...) accepts any options that Aws::S3::Client#initialize accepts, so just find out how to set up the AWS SDK with IAM roles. The only required option is :bucket, everything else is forwarded to Aws::S3::Client#initialize. When you see its documentation, you can see that :access_key_id/:secret_access_key/:region options are just one way of authentication.

Kind regards,

Janko

You received this message because you are subscribed to the Google Groups "Shrine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ruby-shrine...@googlegroups.com.

To post to this group, send email to ruby-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ruby-shrine/CACfRdMjTBcYxC1h3cjn_jjtngJTSPgXJppbOUx1Sh0tTWv6hvw%40mail.gmail.com.