database backup trying to use AWS secrets rather than IAM when accesskey and secretkey are blank

[jwalters-gpsw]

I have IAM setup and have confirmed it works in the deis namespace by running up generic ubuntu and accessing the bucket successfully. However the database log is showing this:

Performing an initial backup...
wal_e.main   INFO     MSG: starting WAL-E
        DETAIL: The subcommand is "backup-push".
        STRUCTURED: time=2017-04-13T21:05:13.346499-00 pid=111
wal_e.main   ERROR    MSG: AWS Access Key credential is required but not provided
        HINT: Pass "--aws-access-key-id" or set the environment variable "AWS_ACCESS_KEY_ID".
        STRUCTURED: time=2017-04-13T21:05:13.346858-00 pid=111

My values config snippets are:

global:
  # Set the storage backend
  #
  # Valid values are:
  # - s3: Store persistent data in AWS S3 (configure in S3 section)
  # - azure: Store persistent data in Azure's object storage
  # - gcs: Store persistent data in Google Cloud Storage
  # - minio: Store persistent data on in-cluster Minio server
  storage: s3
.
.
.
  database_location: "on-cluster"
.
.
.
s3:
  # Your AWS access key. Leave it empty if you want to use IAM credentials.
  accesskey: ""
  # Your AWS secret key. Leave it empty if you want to use IAM credentials.
  secretkey: ""
  # Any S3 region
  region: "us-west-2"
  # Your buckets.
  registry_bucket: "tectonic-deis-registry"
  database_bucket: "tectonic-deis-database"
  builder_bucket: "tectonic-deis-builder"

This is with chart 2.13 (assuming this is the latest).

[jwalters-gpsw]

Maybe this? https://github.com/wal-e/wal-e/pull/289

[bacongobbler]

Sounds like it! Feel like writing up a fix to add AWS_INSTANCE_PROFILE=1 to the environment if both the access key and secret key are not present?

This is where we'd need to set that: https://github.com/deis/postgres/blob/c480c013038cffb87632fec67e766fb8e9bb58dd/rootfs/docker-entrypoint-initdb.d/001_setup_envdir.sh#L31-L36

[jwalters-gpsw]

Code at: https://github.com/deis/postgres/blob/c480c013038cffb87632fec67e766fb8e9bb58dd/rootfs/docker-entrypoint-initdb.d/001_setup_envdir.sh#L31-L36

should be (based on https://github.com/wal-e/wal-e/pull/289) :

  # if these values are empty, then the user is using IAM credentials so we don't want these in the
  # environment
  if [[ "$AWS_ACCESS_KEY_ID" != "" && "$AWS_SECRET_ACCESS_KEY" != "" ]]; then
    echo $AWS_ACCESS_KEY_ID > AWS_ACCESS_KEY_ID
    echo $AWS_SECRET_ACCESS_KEY > AWS_SECRET_ACCESS_KEY
  elif
    echo "1" > AWS_INSTANCE_PROFILE
  fi

This is based on the assumption you are using WAL-E build after Nov 28, 2016.

[bacongobbler]

Yes. What I meant was would you mind writing up a PR with that code? If not I'll write one up.

[jwalters-gpsw]

I'll see if I can figure out how to do this officially via a pull request

[jwalters-gpsw]

I'll create a pull request.