Closed josmo closed 8 years ago
thanks! can you run though gofmt
as well?
also I mentioned in some of the other threads the potential security vulnerability here. If someone uses iam + s3 plugin it may be subject to malicious pull requests. The reason is that passwords / secrets need to be signed in order to be used. Since iam doesn't require passwords, and there is no signature, it limits the ability to prevent malicious execution of the plugin.
luckily we have an environment variable for this called DRONE_YAML_VERIFIED=true
I would recommend adding this input parameter and checking to see if the yaml is verified before creating a client with an empty username and password. This would prevent such a security issue. Let me know if you have questions!
@bradrydzewski sorry about gofmt :) Still forgetting to do that.
@bradrydzewski is something like commit 511046e what you had in mind?
@bradrydzewski I think everything should be good now. Let me know if there's anything that seems out of place. I'll also follow the same suite on the beanstalk plugin PR I have out.
@bradrydzewski anything else need to be changed? I'd love to delete my image :)
LGTM thanks for the updates
Resubmitting now that it will use the secrets if provided or the ec2metadata if none are provided. Agreed it shouldn't be used on open projects but are needed on large enterprises with the auth information expires.