Closed mjschultz closed 4 years ago
Looks like removing this restriction was attempted in #2 but still needs a bit of work https://github.com/drone-plugins/drone-s3/pull/2#issuecomment-159031826
I think it would be safe to remove the code for that comment and recommend people add a:
when:
repo: owner/name
To their upload if that is going to be a problem.
I just wanted to add a note here that I included in a few other issues because I think this is import to highlight ...
I just want to point out the possible security vulnerability here. This means ANY build running on your server will have access to your infrastructure via iam. This included a malicious pull request. I would not recommend using iam with a public github repository.
Typically this is not an issue because you have to sign the yaml and the passwords are not provided to the container if the signature doesn't match. In this case there are no passwords, and therefore, the step can run without a signature.
Given that drone sign
is not supported anymore, would this PR be acceptable to solve this issue?
I would like to be able to do this to take some repo resources (db migration scripts) and put them on a bucket for go-migrate without having to specify keys.
This should be already supported, access key and secret key are optional, if they are not provided it's falling back to EC2 profiles.
Our drone EC2 instances have the ability to write to S3 through the IAM role they were given at startup. The normal way to use this is to not specify access_key or secret_key.
However, the current setup for this plugin is such that it will not run the plugin if the access_key/secret_key are not specified (though the docs say they are optional).
My preferred solution would be to make the access_key/secret_key actually optional, but the use case in the comment above the non-optional code is:
Which would break if they were optional. An alternative is to add a
use_iam: true
setting, though it would still be the case that a fork would fail if that were set.