Feature #15599

[keepstore] AWS support IAM roles for authentication

Added by Ward Vandewege 25 days ago. Updated 3 days ago.

Status:
In Progress
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
(Total: 0.00 h)
Story points:
2.0

Description

AWS best practice for services running on EC2 is to use IAM roles for authentication. The AWS go sdk supports this natively, cf. https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html

It would be nice if Keepstore supported IAM roles, perhaps falling back to that authentication method when SecretKeyFile and AccessKeyFile are not supplied in the configuration file. Maybe using the metadata to detect that it's running on EC2 first so we don't provide confusing information when no credentials are present and Keepstore is running elsewhere.

Getting credentials from instance metadata: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials


Subtasks

Task #15619: ReviewNewPeter Amstutz

History

#1 Updated by Ward Vandewege 25 days ago

  • Target version set to To Be Groomed

#2 Updated by Tom Clegg 19 days ago

  • Description updated (diff)

#3 Updated by Tom Morris 19 days ago

  • Story points set to 2.0
  • Target version changed from To Be Groomed to Arvados Future Sprints

#4 Updated by Tom Morris 12 days ago

  • Target version changed from Arvados Future Sprints to 2019-09-25 Sprint

#5 Updated by Tom Clegg 12 days ago

  • Assigned To set to Tom Clegg

#9 Updated by Tom Clegg 11 days ago

  • Status changed from New to In Progress

#10 Updated by Tom Clegg 11 days ago

15599-keepstore-iam-role @ 47afcd7595b49cf8a1756cb8f00139cd6269f544 -- https://ci.curoverse.com/view/Developer/job/developer-run-tests/1521/

(hasn't been tested on a real cluster yet)

Also available in: Atom PDF