search

drone-plugins / drone-s3

Drone plugin for publishing artifacts to Amazon S3
http://plugins.drone.io/drone-plugins/drone-s3
Apache License 2.0
36 stars 64 forks source link

Support IAM roles #11

Closed mjschultz closed 4 years ago

mjschultz commented 8 years ago

Our drone EC2 instances have the ability to write to S3 through the IAM role they were given at startup. The normal way to use this is to not specify access_key or secret_key.

However, the current setup for this plugin is such that it will not run the plugin if the access_key/secret_key are not specified (though the docs say they are optional).

My preferred solution would be to make the access_key/secret_key actually optional, but the use case in the comment above the non-optional code is:

// skip if AWS key or SECRET are empty. A good example for this would // be forks building a project. S3 might be configured in the source // repo, but not in the fork

Which would break if they were optional. An alternative is to add a use_iam: true setting, though it would still be the case that a fork would fail if that were set.

mjschultz commented 8 years ago

Looks like removing this restriction was attempted in #2 but still needs a bit of work https://github.com/drone-plugins/drone-s3/pull/2#issuecomment-159031826

mjschultz commented 8 years ago

I think it would be safe to remove the code for that comment and recommend people add a:

when:
    repo: owner/name

To their upload if that is going to be a problem.

bradrydzewski commented 8 years ago

I just wanted to add a note here that I included in a few other issues because I think this is import to highlight ...

I just want to point out the possible security vulnerability here. This means ANY build running on your server will have access to your infrastructure via iam. This included a malicious pull request. I would not recommend using iam with a public github repository.

Typically this is not an issue because you have to sign the yaml and the passwords are not provided to the container if the signature doesn't match. In this case there are no passwords, and therefore, the step can run without a signature.

fernandrone commented 6 years ago

Given that drone sign is not supported anymore, would this PR be acceptable to solve this issue?

https://github.com/drone-plugins/drone-s3/pull/41

ashtonian commented 6 years ago

I would like to be able to do this to take some repo resources (db migration scripts) and put them on a bucket for go-migrate without having to specify keys.

tboerger commented 4 years ago

This should be already supported, access key and secret key are optional, if they are not provided it's falling back to EC2 profiles.