search

cloudyr / aws.signature

Amazon Web Services Request Signatures
https://cloud.r-project.org/package=aws.signature
31 stars 33 forks source link

IAM role credentials for use within docker container #21

Closed gregmacfarlane closed 6 years ago

gregmacfarlane commented 6 years ago

I have an EC2 instance with an attached IAM role that should allow me to download a file from a bucket. In the bare instance, I can run 

aws s3 cp s3://mybucket/file .

and it works fine. It also works from inside the docker container, running a bash terminal through Rstudio. I can even locate appropriate credentials through aws.signature and aws.ec2metadata !

tryCatch({
    aws.signature::locate_credentials()
}, error = print)
## $key
## [1] "<my key>"
## 
## $secret
## [1] "<my secret>"
##
## $session_token
## [1] "<my token>"
##
## $region
## [1] "us-east-1"

But when I call aws.signature::use_credentials(), 

aws.signature::use_credentials()
## Error in read_credentials(file) : 
##   File '/home/rstudio/.aws/credentials' does not exist.

This means that all of the aws.s3::get_object(), etc. functions fail.

Is there something manual I need to do to link the IAM role to the use_credentials() function?

josiekre commented 6 years ago

This will be fixed using the 'stable' version of aws.s3, which is installed from cloudyr's repo rather than the one on CRAN. 

install.packages("aws.s3", repos = c("cloudyr" = "http://cloudyr.github.io/drat"))

To expand on that, aws.s3::get_object() ultimately calls aws.s3::s3HTTP().

With the CRAN version of s3HTTP(), aws.signature::locate_credentials() is never called.

s3HTTP <- function (verb = "GET", bucket = "", path = "", query = NULL, 
    headers = list(), request_body = "", accelerate = FALSE, 
    dualstack = FALSE, parse_response = TRUE, check_region = TRUE, 
    url_style = c("path", "virtual"), base_url = "s3.amazonaws.com", 
    verbose = getOption("verbose", FALSE), region = Sys.getenv("AWS_DEFAULT_REGION", 
        "us-east-1"), key = Sys.getenv("AWS_ACCESS_KEY_ID"), 
    secret = Sys.getenv("AWS_SECRET_ACCESS_KEY"), session_token = Sys.getenv("AWS_SESSION_TOKEN"), ...)  {  
...

With the version on the master branch right now,

s3HTTP <- 
function(verb = "GET",
         bucket = "", 
         path = "", 
         query = NULL,
         headers = list(), 
         request_body = "",
         write_disk = NULL,
         accelerate = FALSE,
         dualstack = FALSE,
         parse_response = TRUE, 
         check_region = TRUE,
         url_style = c("path", "virtual"),
         base_url = "s3.amazonaws.com",
         verbose = getOption("verbose", FALSE),
         region = NULL, 
         key = NULL, 
         secret = NULL, 
         session_token = NULL,
         ...) {

    # locate and validate credentials
    credentials <- locate_credentials(key = key, secret = secret, session_token = session_token, region = region, verbose = verbose)
    key <- credentials[["key"]]
    secret <- credentials[["secret"]]
    session_token <- credentials[["session_token"]]
    region <- credentials[["region"]]
...
leeper commented 6 years ago

I'm going to assume for the time being that this is resolved with the current version of aws.signature, assuming you have installed aws.ec2metadata as well. If not, I will re-open.