Closed ToneD closed 8 years ago
mbrossard
commented
8 years ago It looks interesting. I have an objection regarding the added dependency on boto.sts, can you load it only when using the feature?
For the region part, I'm thinking that if you rename the method get_instance_region it would make it clearer.
For the v4_scheme branch, I wanted be able to encode all the information in the URL. Now I'll have to think about how I can add this.
mbrossard
commented
8 years ago I'm going to make some additional changes.
ToneD
commented
8 years ago I've been meaning to get back to you on this one. I started playing around with removing the boto dependency all together. Doing this involved implementing url signing for STS api calls. This started to look very similar to what you are doing in the v4 branch. I figure the best approach is to write the v4 url signing code to be generic enough to support signing STS and the S3 urls.
mbrossard
commented
8 years ago Let's revisit the issue when I finally merge v4_scheme. I did one change to make the delegated_role a per-repo parameter. This way you can have different delegated role settings for different repositories and also I didn't want to risk confusion by putting settings in different places.
… to work with a bucket in a different account by using a delegated role provided in the plugin config.
Wanted to make this work for a bucket in a separate account so that the repo did not need to be replicated. Works by using the delegated role arn (provided via config) to retrieve the creds from STS.
It does introduce a dependency on boto which may not be considered desirable. Also introduces a get_region method which may conflict slightly with what is going on in the v4_scheme branches.