search

jkakar / aws-elixir

AWS clients for Elixir
Other
191 stars 0 forks source link

Credentials from EC2 Instance Metadata #49

Open stocks29 opened 7 years ago

stocks29 commented 7 years ago

It would be great if the client would optionally pull credentials from EC2 instance metadata at the least, or optimally mimic the default credential provider chain:

http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#using-the-default-credential-provider-chain

cjbottaro commented 7 years ago

Is that how the Ruby client doesn't require AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY when running from an instance in AWS?

I came to ask for a feature: don't require AWS_*_KEYS when running from a machine in AWS.

jkakar commented 7 years ago

Indeed. For Erlang, I wrote https://github.com/jkakar/aws-erlang-metadata to do this. It'd be nice to replicate this for Elixir.

cjbottaro commented 7 years ago

So I wrote some code to query the AWS metadata url and fill in the AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY... and it didn't work. I mean, the keys had the wrong IAM permissions.

Here's the code:

  def add_credentials(options, :meta) do
    path = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"

    creds = with {:ok, response} <- HTTPoison.get(path),
      {:ok, response} <- HTTPoison.get("#{path}#{response.body}"),
      {:ok, creds} <- Poison.decode(response.body) do
      creds
    else
      _ -> %{}
    end

    options
      |> put_new(:access_key_id, creds["AccessKeyId"])
      |> put_new(:secret_access_key, creds["SecretAccessKey"])
  end

The returned options is a Map that gets turned into an Aws.Client struct.

The permission problem may be on my end; I'm not entirely sure how permissions work in ECS. I know that both an ECS instance and ECS service get an IAM role.

uberbrodt commented 6 years ago

I wrote and published this: https://github.com/uberbrodt/ex_aws_metadata

I tested it with AWS Elasticsearch and it worked. I plan to contribute a pull request to add it an option to this project when I have the time.

jkakar commented 6 years ago

@uberbrodt Sorry for taking so long to respond, but that looks great! I'd love to see a pull request to merge it here or to update the README to make it more easily discoverable to users of aws-elixir.