search

elementor / static-html-output

Static HTML Output Plugin for WordPress
https://statichtmloutput.com
The Unlicense
125 stars 35 forks source link

Allow usage of the defaultProvider() CredentialProvider for S3 #14

Open BAGELreflex opened 5 years ago

BAGELreflex commented 5 years ago

https://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.Credentials.CredentialProvider.html

Currently the plugin requires the usage of an IAM Access Key and Secret Access Key to be provided in order to authenticate to S3 to upload. This is not industry best practice. The default CredentialProvider attempts to load credentials in the following order:

  1. Check for environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN
  2. Check for a default profile in ~/.aws/credentials
  3. Check for default profile in ~/.aws/config
  4. Make GET request to ECS environment variables (only if using Elastic Container Service)
  5. Checks for credentials using an External Process: https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
  6. Check for EC2 instance profile credentials using the local metadata endpoint of 169.254.169.254
  7. It finally uses the 'credentials' => ['key' => 'my-access-key-id', 'secret' => 'my-secret-access-key'] configuration of the client constructor given that no other credentials are found.

We configure the majority of our sensitive site configuration using either Environment Variables or IAM Roles assigned to EC2 instances, utilizing the EC2 instance metadata (option 6 above).

Here is an implementation that would use the key and secret, if provided, and otherwise revert to the default order of operations:

use Aws\Credentials\CredentialProvider;
use Aws\Credentials;

$credentialProvider = CredentialProvider::memoize(
    CredentialProvider::chain(
        CredentialProvider::fromCredentials(new Credentials($key ?? '', $secret ?? '')),
        CredentialProvider::defaultProvider()
    )
);
$s3Client = new S3Client([
    'region' => $region,
    'version' => 'latest',
    'credentials' => $credentialProvider
]);
leonstafford commented 4 years ago

Hi @BAGELreflex - I did get back to the official AWS SDK in V7, which is now available for testing and should allow for either inputting key/secret or using default provider or instance profiles: https://github.com/WP2Static/wp2static/releases/tag/7.0-alpha-003

leonstafford commented 4 years ago

duplication/solvable in same issue as https://github.com/WP2Static/static-html-output-plugin/issues/12

Already solved in V7 (https://github.com/WP2Static/wp2static) and will likely find that same deployment code brought back into this V6 (Static HTML Output)

petewilcock commented 3 years ago

Just pinging on this - looks like this issue is still ongoing.

Client-side form validation in settings for Access Key ID and Secret Key ID demands a value even if an instance profile/role is being used.

A test upload with no values returns an ambiguous 'BAD RESPONSE STATUS FROM API (400)'.

I can confirm however that the manual provision of an IAM user (not desired as above) does work.

Would be super grateful if this could be looked at 🤞