Open kizmanj opened 8 months ago
Hi @kizmanj, we're aware of this use case. For example, since this PR has been merged, it has been possible to use IAM roles on EC2 instances instead of access key pairs. It implies that you use the local
endpoint type of the media library and specify a remote disk under twill.media_library.disk
. That way the Twill uploader doesn't attempt to direct upload to S3, it uploads to your application first, which can be authorized to communicate with S3 to actually store the file. Maybe you've tried that and it didn't work?
Happy to review a PR improving compatibility for sure!
Summary
When running in a container from EKS and using service accounts, AWS services are not accessed with a static key/secret pair, but with temporary credentials received from STS. (keyId, secret, sessionToken)
https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html
Describe the solution you'd like
The following files will need to be updated to add x-amz-security-token to the policy document and the upload's form data: src/Http/ViewComposers/MediasUploaderConfig.php frontend/js/components/media-library/Uploader.vue
Additional context
Working on a branch with the changes