search

area17 / twill

Twill is an open source CMS toolkit for Laravel that helps developers rapidly create a custom admin console that is intuitive, powerful and flexible. Chat with us on Discord at https://discord.gg/cnWk7EFv8R.
https://twillcms.com
Apache License 2.0
3.75k stars 572 forks source link

S3 direct upload from EKS #2414

Open kizmanj opened 8 months ago

kizmanj commented 8 months ago

Summary

When running in a container from EKS and using service accounts, AWS services are not accessed with a static key/secret pair, but with temporary credentials received from STS. (keyId, secret, sessionToken)

https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html

Describe the solution you'd like

The following files will need to be updated to add x-amz-security-token to the policy document and the upload's form data: src/Http/ViewComposers/MediasUploaderConfig.php frontend/js/components/media-library/Uploader.vue

Additional context

Working on a branch with the changes

ifox commented 7 months ago

Hi @kizmanj, we're aware of this use case. For example, since this PR has been merged, it has been possible to use IAM roles on EC2 instances instead of access key pairs. It implies that you use the local endpoint type of the media library and specify a remote disk under twill.media_library.disk. That way the Twill uploader doesn't attempt to direct upload to S3, it uploads to your application first, which can be authorized to communicate with S3 to actually store the file. Maybe you've tried that and it didn't work?

Happy to review a PR improving compatibility for sure!