search

carrierwaveuploader / carrierwave-aws

AWS-SDK storage adapter for CarrierWave
MIT License
409 stars 107 forks source link

Configure with IAM Role #163

Open mavinalim opened 4 years ago

mavinalim commented 4 years ago

First, I just wanted to say I have read the topic in #53. However, the person says in order for IAM Role to work, you just need to "leave it out" for aws_access_key and aws_access_secret. I have tried both commenting out the two lines:

  config.aws_credentials = {
    region:            Rails.application.secrets.aws[:AWS_REGION], # Required
    stub_responses:    Rails.env.test? # Optional, avoid hitting S3 actual during tests
  }

and

  config.aws_credentials = {
    access_key_id: ""    ,
    secret_access_key: "",
    region:            Rails.application.secrets.aws[:AWS_REGION], # Required
    stub_responses:    Rails.env.test? # Optional, avoid hitting S3 actual during tests
  }

I get this error for both options.

CarrierWave Error: missing credentials, provide credentials with one of the following options:
  - :access_key_id and :secret_access_key
  - :credentials
  - :credentials_provider

I can confirm that my IAM role is working fine, I tested with aws-sdk. It just seems like carrierwave is not liking the way I set up. Please help if anyone can, Thank you!

sorentwo commented 4 years ago

I don't have any context beyond the discussion in #53. That error isn't coming from carrierwave-aws directly, it would be bubbling up from aws-sdk in some way.

nitishgangal89 commented 4 years ago

@sorentwo

I also want to use IAM profile attached to EC2 instance for carrierwave usage. I followed all the previous issues and resources associated.

I would like to know what is the correct configuration to leave out the credentils in the carrierwave initialiers...

I am guessing that the following should be correct and it would fetch the credentials automatically from the attached IAM role to instance.

config.aws_credentials = {
    region:            Rails.application.secrets.aws[:AWS_REGION], # Required
    stub_responses:    Rails.env.test? # Optional, avoid hitting S3 actual during tests
  }

However, I think it did not work well and I kept getting the timeout when trying to upload a small file.

IAM role attached to the instance is right because the rest of the functionality implemented through fog-aws works well.

Also, config.aws_acl = 'private' is this the required parameter? If this is not set for a bucket having "Objects can be public" configuration results in an timeout error?

Please advice and suggest at the earliest.

@mavinalim Please let me know if you found some solution around..

Thank you!

wwk-github commented 2 years ago

@nitishgangal89 did you find the proper solution? I have a similar situation.

ibrahima commented 1 year ago

In case it's helpful, in my case I decided to add

Aws.config.update(credentials: Aws::InstanceProfileCredentials.new)

to my AWS initialization code, and CarrierWave seems to pick that up. You could try to rely on the automatic credential lookup mechanisms but to me it seemed more deterministic to be explicit about it. (If you have different credential mechanisms in different environments it might be a good idea to make it conditional but still explicit.)