vdb-config: use AWS IAM role instead of credentials file

[peter-sandor-1992]

We are currently trying to move away from storing access and secret keys in our configuration files and have instead enabled the use of IAM policies on our AWS EC2 instances, as per current best practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

In order to set the "accept charges for AWS" in vdb-config, we currently have to set a credentials file with an access and a secret key. Is there any way of providing an IAM instance profile ARN instead of access and secret keys to still be able to download SRA files from s3 using prefetch? Exactly how are these credentials being used for downloading the SRA files from the cloud? Would obtaining temporary credentials using an IAM policy (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials) work, even if these expire mid-download? Temporary credentials have a maximum lifespan of 36 hours: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken. This should be enough for a single download but we want to make sure we cover all scenarios.

[tudor-turcu]

Any news/answer about this issue? ..