AWS credentials

[ilyabe]

Is there another way to get a channel other than passing credentials?

sqs.channeled/receive! creds queue-url

Just asking since AWS seems to recommend against passing an access key to an app, preferring IAM roles instead.

http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

Not saying there's anything wrong here for sure, just trying to get an understanding first.

Thanks!

[moea]

The credentials map can contain IAM credentials - i.e. :access-key, :secret-key + :token (:region and :endpoint are also supported). Does that do what you're looking for?

The repository is a little askew right at this moment, but Eulalie 0.5.0 (a dependency of Fink-Nottle) supports retrieval of the instance credentials for an explicit role, or the default IAM role: see source here.

[moea]

It's briefly mentioned in this blog post. I'm writing more thorough documentation for the upcoming 1.0.0 release.

[ilyabe]

Not exactly....I see I can pass credentials and it will work. I was wondering if I can not pass credentials at all. Since the app will be on an EC2 instance, it should be able to connect to sqs via an IAM profile setup for the instance instead of via credentials.

[moea]

Maybe it's a terminology thing - I'm using credentials in the generic sense. An access/secret key pair doesn't necessarily identify a root account - when communicating with AWS at the service level, an IAM role-specific access/secret key (generally tied to a token, with expiry information - unlike root credentials) can be used in place of a root account access/secret key. I'm not aware of any other means of telling an AWS service exactly which IAM role you're trying to use.

See, e.g. InstanceProfileCredentialsProvider in the AWS Java SDK, which is a default mechanism for retrieving account information when no explicit credentials are provided. While the Java SDK, and some others, will opaquely retrieve the default credentials for the instance via the EC2 instance metadata service, they are merely retrieving values which can be used in place of an access key & secret key (though with delimited scope, and delimited time, which makes them far superior to using root credentials). As this happens quietly, it could give the appearance that a secret key & access key aren't actually being used.

I didn't want to support implicit retrieval, which is why I mentioned eulalie.instance-data/default-iam-credentials! - that explicitly retrieves data which identifies the default IAM role to AWS, and can be used wherever creds is mentioned in the signature of a function in Fink-Nottle.