search

drone-plugins / drone-s3

Drone plugin for publishing artifacts to Amazon S3
http://plugins.drone.io/drone-plugins/drone-s3
Apache License 2.0
36 stars 64 forks source link

Ec2 instance auth #20

Closed josmo closed 8 years ago

josmo commented 8 years ago

Resubmitting now that it will use the secrets if provided or the ec2metadata if none are provided. Agreed it shouldn't be used on open projects but are needed on large enterprises with the auth information expires.

bradrydzewski commented 8 years ago

thanks! can you run though gofmt as well?

also I mentioned in some of the other threads the potential security vulnerability here. If someone uses iam + s3 plugin it may be subject to malicious pull requests. The reason is that passwords / secrets need to be signed in order to be used. Since iam doesn't require passwords, and there is no signature, it limits the ability to prevent malicious execution of the plugin.

luckily we have an environment variable for this called DRONE_YAML_VERIFIED=true

I would recommend adding this input parameter and checking to see if the yaml is verified before creating a client with an empty username and password. This would prevent such a security issue. Let me know if you have questions!

josmo commented 8 years ago

@bradrydzewski sorry about gofmt :) Still forgetting to do that.

josmo commented 8 years ago

@bradrydzewski is something like commit 511046e what you had in mind?

josmo commented 8 years ago

@bradrydzewski I think everything should be good now. Let me know if there's anything that seems out of place. I'll also follow the same suite on the beanstalk plugin PR I have out.

josmo commented 8 years ago

@bradrydzewski anything else need to be changed? I'd love to delete my image :)

bradrydzewski commented 8 years ago

LGTM thanks for the updates