-
Notifications
You must be signed in to change notification settings - Fork 2k
EC2 credentials could expire #533
Comments
Good call out - this seems like something which could potentially be mitigated using config (as in |
What do we do in the event of multiple accounts? Keep track of the account ID the instances are in and then match them against the config so we end up with a config key of: |
Why wouldn't we just throw an error and let the user present new If we want to add a grouping construct we would need additional options at On Thu, Feb 12, 2015 at 12:14 PM, Simon Thulbourn notifications@github.com
|
If we just throw errors things like the ls command break. I'd rather just try to detect them again. |
Isn't that going to do the same thing if you cannot detect the new ones? |
I just ran into this issue. In our configuration, AWS tokens expire after ~30 minutes. I can however see the old credentials cached in If I delete the credentials from JSON, I get |
I wonder if we could modify the AWS driver to support temporary tokens. I might be mis-remembering, but I think @jeffellin may have done some research in this regard. |
So this is a little nuanced depending on if you want to break backwards compatibility. The truth is now that you are using the aws sdk you don't need to store credentials at all. The sdk has a pre-determined notion of where they should be, env variables, .aws dir, etc. So my recommendation is to stop reading the credentials from the config file and just use whats in the environment. This should even enable STS tokens to work without issues since the sdk knows already how to work with those. The issue with making this change is that users who don't have their amazon environment configured will need set them up otherwise an upgrade will break them. I personally think its a Bad Bad idea to be storing the IAM credentials in the config file. For the cloud formation driver I created, I do not do this. I just pick up whatever the aws sdk can find. |
Coming up against this today too. I like the idea of just using the standard AWS places - env vars and ~/.aws &c. Would also be cool to use region from there too. Can confirm that changing the config.json with new credentials works fine. |
I ran into this with the following error:
It wasn't clear to me how to resolve this until I'd remembered my AWS tokens had been rotated. I'd expected auth to work after (re)running |
This is pretty easy to fix. But we will break backwards compatibility. I
|
@jeffellin When you say it will break backwards compatibility, what do you mean? It seems reasonable to me that we could at least add a section in the |
@nathanleclaire I'd really like to get the creds out of the Driver Struct all together, it isn't necessary and I feel its bad practice as most people are unaware that we are saving potentially sensitive information in that location. The Go AWS SDK automatically reads from either AWS env variables or the |
@nathanleclaire if the user is currently using the aws driver and doesn't have the credentials set either in AWS_ environment variables or in
|
Yes, I agree, and I have been arguing for a proper "provider" model to help with this for a long time. As you noted, unfortunately it would likely require a sizable backwards incompatible change, breaking pretty much all existing drivers / plugins and requiring a version bump to the RPC API. It's difficult. We really need to tread wisely on that one. I agree the architectural choices made historically were not ideal but we do have quite a few downstreams (e.g. Rancher) to consider. I'm very happy to start discussing some proposals for a new and improved interface and implementation though. In the interim, if we can provide a way for users to refresh the credentials saved in
I don't understand. Is this an existing issue today, or a hypothetical? |
It's an issue that would result from not reading the credentials from the For Amazon I don't think we really need a sizable change to the way drivers If we were to make this change the only thing a user would need to do is On Thursday, April 14, 2016, Nathan LeClaire notifications@github.com
|
Probably something I'm not seeing here, but maybe backwards compatibility be sufficiently handled by:
Then "upgrading" a machines credentials would be as simple as removing them from |
Any resolution on this? |
I have started working on at least the first step, to default to AWS SDK credentials in case there are none in |
If AWS credentials are not stored in machines config.json, use AWS SDK default. First step to fixing docker#533. Signed-off-by: Mattias Jiderhamn <mattias.jiderhamn@readsoft.com>
If AWS credentials are not stored in machines config.json, use AWS SDK default. First step to fixing docker#533. Signed-off-by: Mattias Jiderhamn <mattias.jiderhamn@readsoft.com>
If AWS credentials are not stored in machines config.json, use AWS SDK default. First step to fixing docker#533. Signed-off-by: Mattias Jiderhamn <mattias.jiderhamn@readsoft.com>
If AWS credentials are not stored in machines config.json, use AWS SDK default. First step to fixing docker#533. Signed-off-by: Mattias Jiderhamn <mattias.jiderhamn@readsoft.com>
If AWS credentials are not stored in machines config.json, use AWS SDK default. First step to fixing docker#533. Signed-off-by: Mattias Jiderhamn <mattias.jiderhamn@readsoft.com>
If AWS credentials are not stored in machines config.json, use AWS SDK default. First step to fixing docker#533. Signed-off-by: Mattias Jiderhamn <mattias.jiderhamn@readsoft.com>
Under certain situations, credentials could expire for the EC2 driver, i.e. when using roles.
We could perhaps mitigate it by checking credentials and then either asking for more or using env vars.
The text was updated successfully, but these errors were encountered: