New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQS Transport to accept EC2-Profile as Credentials Source #1459

Closed
AbdoHassanUMG opened this Issue Oct 12, 2018 · 5 comments

Comments

Projects
None yet
4 participants
@AbdoHassanUMG
Copy link
Contributor

AbdoHassanUMG commented Oct 12, 2018

Allow SQS Transport customisation to accept EC2 Profile ( Instance Role ) as a credential source. Currently the transport requires API Keys to be passed in connection string. Which is less secure and introduces ops complexity around key rotation.

@AbdoHassanUMG AbdoHassanUMG changed the title SQS Transport to accept EC2-Profile as Credentials SQS Transport to accept EC2-Profile as Credentials Source Oct 12, 2018

@yvesgoeleven

This comment has been minimized.

Copy link
Member

yvesgoeleven commented Oct 12, 2018

@AbdoHassanUMG Thank you for the suggestion, I moved it to the sqs transport repository

Particular/NServiceBus.AmazonSQS#247

@yvesgoeleven

This comment has been minimized.

Copy link
Member

yvesgoeleven commented Oct 12, 2018

I stand corrected, it is in the right repo. The transport already allows this

@danielmarbach

This comment has been minimized.

Copy link
Member

danielmarbach commented Oct 12, 2018

@AbdoHassanUMG

You are absolutely right it is not yet ideal how the API keys are managed. The underlying SQS transport uses the standard SDK constructors of the clients thus it would follow the normal credential retrieval hierarchy defined in https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html. So given that we could support it by now longer requiring API keys in the connection string and only promoting environment variables if you specify the keys. Would that work for you? This would assume the default profile would be used or would you have the requirement to specify the profile name in ServiceControl?

@AbdoHassanUMG

This comment has been minimized.

Copy link
Contributor

AbdoHassanUMG commented Oct 12, 2018

@danielmarbach
Yes , It would be sufficient for our use case if the api keys in the connection string are not mandatory and the standard constructor falls back to the Ec2 role.

@boblangley

This comment has been minimized.

Copy link
Member

boblangley commented Dec 10, 2018

Addressed in #1525

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment