Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 upload does not support using credentials from IAM role #259

Open
warp3r opened this issue Apr 19, 2018 · 0 comments
Open

S3 upload does not support using credentials from IAM role #259

warp3r opened this issue Apr 19, 2018 · 0 comments

Comments

@warp3r
Copy link
Contributor

warp3r commented Apr 19, 2018

Hi there,

when trying to use mongodb-consistent-backup in AWS , with support enabled for S3 upload and using credentials in IAM role of an EC2 instance rather than explicit key and access tokens, it fails.

Checking the S3Session.py file I see

                self._conn = boto.s3.connect_to_region(
                    self.region,
                    aws_access_key_id=self.access_key,
                    aws_secret_access_key=self.secret_key,
                    is_secure=self.secure,
                    calling_format=self.calling_format

This way only explicit AWS keys will work with mongodb-consistent-backup , which is an anti-pattern when working inside AWS. Using IAM roles avoids the need of rotating keys as this is automatically performed by AWS.

Take this link as documentation (even if its for the PHP SDK, it also works for python):

https://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/credentials.html#instance-profile-credentials

My proposal is to change the following lines in S3.py:

        if None in (self.access_key, self.secret_key, self.region):
            raise OperationError("Invalid or missing AWS S3 access key, secret key or region detected!")

to

        if None in (self.region):
            raise OperationError("Invalid or missing AWS region detected!")

and also change the following ins S3Session.py

                self._conn = boto.s3.connect_to_region(
                    self.region,
                    aws_access_key_id=self.access_key,
                    aws_secret_access_key=self.secret_key,
                    is_secure=self.secure,
                    calling_format=self.calling_format

for something similar to:

                if aws_access_key_id is not None and aws_secret_access_key is not None:
                  self._conn = boto.s3.connect_to_region(
                    self.region,
                    aws_access_key_id=self.access_key,
                    aws_secret_access_key=self.secret_key,
                    is_secure=self.secure,
                    calling_format=self.calling_format
                    ...
                else:
                  self._conn = boto.s3.connect_to_region(
                    self.region,
                    is_secure=self.secure,
                    calling_format=self.calling_format
                    ...

I may fork the code and do a PR myself in the following weeks, just wanted to open the ticket in case somebody has the time to do so before.

kind regards
@warp3r warp3r mentioned this issue Apr 19, 2018
Merged
timvaillancourt pushed a commit that referenced this issue Jun 14, 2018
@warp3r @timvaillancourt
pull request for issue #259 (#260)
2a95b86 
* fixes for S3 IAM role authentication

* fixes for S3 IAM role authentication
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@warp3r