search

spacecatninja / craft-imager-x

Image transforms, optimizations and manipulations for your Craft CMS site.
Other
26 stars 16 forks source link

Make AWS S3 Credentials Optional when running Craft on AWS EC2/ECS. #254

Open vanburenx opened 9 months ago

vanburenx commented 9 months ago

I'm submitting a...

Description

Remove the need for AWS accessKey/secretAccessKey credentials if you're running on AWS EC2/ECS and instead use Assumed Roles (instance profile credentials). This removes the need to create/manage additional/unnecessary credentials.

AWS Docs

Creating OpenID Connect (OIDC) identity providers

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html

Using IAM roles for Amazon EC2 instance variable credentials

https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_assume_role.html

Task IAM role

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

Craft CMS S3 implementation

Assuming Role with OpenID Connect (OIDC) (craftcms/aws-s3)

https://github.com/craftcms/aws-s3#assuming-role-with-oidc

Tasks running in ECS (craftcms/aws-s3)

https://github.com/craftcms/aws-s3?tab=readme-ov-file#tasks-running-in-ecs

Code used for craftcms/aws-s3

https://github.com/craftcms/aws-s3/blob/a04ee659490d53da879e302e660ba3807532a926/src/Fs.php#L423

Credential-less auth should be explicit opt-in (craftcms/aws-s3)

https://github.com/craftcms/aws-s3/issues/155

Additional info

joelzerner commented 2 weeks ago

We'd be very interested in this feature too. @aelvan any idea if this feature will be in the pipeline?

aelvan commented 2 weeks ago

Hi,

The biggest show-stopper is that I don't use AWS and I'm not familiar with the concepts here. BUT, I'll try to replicate what Craft does and see where it gets me. Are you on Craft 4 or 5, @joelzerner?

joelzerner commented 2 weeks ago

Thanks for being willing to look into this! We're on Craft 4 for the particular project we need this for however an update to Craft 5 is in the pipeline.

aelvan commented 2 weeks ago

Cool, then I can implement it for 4 to begin with and then port it to 5 when you've tested. That code is essentially identical between 4 and 5 so it doesn't really matter what comes first.

vanburenx commented 2 weeks ago

OP here, I've upgraded to Craft 5 since I first posted this but can test this on either version. Thanks for looking into this.

aelvan commented 6 days ago

I've tried to replicate what the craftcms/aws-s3 package does, and you can test it by installing the feature branch via:

composer require spacecatninja/imager-x:"dev-dev/craft4-optional-aws-s3-credentials as 4.4.1.1"

I made credential-less auth explicit opt in, as planned by P&T, so to enable it you need to set useCredentialLessAuth to true in your external storage config, ie:

        'storageConfig' => [
            'aws' => [ 
                'useCredentialLessAuth' => true,
                ...
            ],
    ]

Let me know if this works as expected.

joelzerner commented 6 days ago

Thanks @aelvan - we will test this out on Monday and let you know how we go.

joelzerner commented 2 days ago

Thanks @aelvan - we've tested and it works!

aelvan commented 1 day ago

Great, thanks for testing this. I'll merge it into a release shortly.