when trying to use mongodb-consistent-backup in AWS , with support enabled for S3 upload and using credentials in IAM role of an EC2 instance rather than explicit key and access tokens, it fails.
This way only explicit AWS keys will work with mongodb-consistent-backup , which is an anti-pattern when working inside AWS. Using IAM roles avoids the need of rotating keys as this is automatically performed by AWS.
Take this link as documentation (even if its for the PHP SDK, it also works for python):
My proposal is to change the following lines in S3.py:
if None in (self.access_key, self.secret_key, self.region):
raise OperationError("Invalid or missing AWS S3 access key, secret key or region detected!")
to
if None in (self.region):
raise OperationError("Invalid or missing AWS region detected!")
if aws_access_key_id is not None and aws_secret_access_key is not None:
self._conn = boto.s3.connect_to_region(
self.region,
aws_access_key_id=self.access_key,
aws_secret_access_key=self.secret_key,
is_secure=self.secure,
calling_format=self.calling_format
...
else:
self._conn = boto.s3.connect_to_region(
self.region,
is_secure=self.secure,
calling_format=self.calling_format
...
I may fork the code and do a PR myself in the following weeks, just wanted to open the ticket in case somebody has the time to do so before.
Hi there,
when trying to use mongodb-consistent-backup in AWS , with support enabled for S3 upload and using credentials in IAM role of an EC2 instance rather than explicit key and access tokens, it fails.
Checking the S3Session.py file I see
This way only explicit AWS keys will work with mongodb-consistent-backup , which is an anti-pattern when working inside AWS. Using IAM roles avoids the need of rotating keys as this is automatically performed by AWS.
Take this link as documentation (even if its for the PHP SDK, it also works for python):
https://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/credentials.html#instance-profile-credentials
My proposal is to change the following lines in S3.py:
to
and also change the following ins S3Session.py
for something similar to:
I may fork the code and do a PR myself in the following weeks, just wanted to open the ticket in case somebody has the time to do so before.
kind regards