github-actions[bot]
commented
1 day ago This issue is stale because it has been open for 30 days with no activity.
Open eternaltyro opened 1 month ago
github-actions[bot]
commented
1 day ago This issue is stale because it has been open for 30 days with no activity.
Is your feature request related to a problem? Please describe.
Currently AWS API keys are used directly in order to authenticate the Uli API server to AWS and authorise S3 access. We can secure this by removing these keys and using identity based Authz/AuthN.
https://github.com/tattle-made/Uli/blob/58e19f2309cd950b0d42bf49cf0349fe38392847/browser-extension/api-server/s3.js#L7-L8
Describe the solution you would like
@aws-sdk/client-s3uses AWS credentials env module that automatically takes API keys from environment variables. We don't need to explicitly pass them. So instead of doing:https://github.com/tattle-made/Uli/blob/58e19f2309cd950b0d42bf49cf0349fe38392847/browser-extension/api-server/s3.js#L12-L14
We can do something simpler like:
The SDK would handle AWS AuthN automatically.
Describe alternatives you've considered
This makes the config more forgiving and secure. We can rely on the same environment variables for local developement but at the same time, we can take advantage of EKS Pod Identity - which provides a way of attaching an IAM role to a pod (just like EC2 instance profiles) to allow access to S3. Developers can use temporary credentials received via
aws sso login --profile tattleor manually copying credentials from the login page.We can effectively eliminate the need to handle or process AWS API keys in code.
Addtional Context
Of course, some keys have additional utility like SES access which we will need to consider while switching over.
References: