IAM support for Bookshelf on S3

[pghalliday]

If not, I think this would be a great addition so as not to have to create users with permanent access keys on AWS instances.

[pghalliday]

Having just tried not specifying the access key in chef-server.rb, I can say that that does not work

[stevendanna]

The original reporter is correct that bookshelf doesn't currently support IAM. I've modified the title to make this into an enhancement request.

[ameir]

@stevendanna do you know if any work towards this is planned? I looked into scraping up time for a PR, but found out that this is in Erlang, which will take me forever to figure out. I was just setting up a new cluster, and got hit by this issue. I'd love to not have to use a user + key for this; it complicates setup (having to store the key outside of git), and is less secure.

[Aslan]

+1 for support on this ticket! This would be a great improvement.

[joshpollara]

+1 This would be a very useful addition

[rszuster]

+1 This would be extremely helpful, one less credential to keep secret, rotate and track...

[Quantu]

+1 Would be a great addition, please implement for all components supporting S3 storage and for RDS.

[PrajaktaPurohit]

Hey @pghalliday, just for my understanding, Are you A) storing cookbooks in amazon s3 - In this case bookshelf is not being used. Erchef talks directly to s3. Here we would want erchef to use IAM credentials to authenticate user to s3.

B) storing cookbooks on the chef-server - In this case erchef does not talk to s3, used bookshelf instead to store cookbooks. Here we would want erchef to use IAM credentials to authenticate user to bookshelf and bookshelf be able to accept the IAM credentials as authentication.

We think you want case A, storing cookbooks in amazon s3.

That would help us define the scope of the request better. Thank you!

[tas50]

https://github.com/chef/chef-server/issues/2217 is a dependency on us being able to support IAM data in the future