-
Notifications
You must be signed in to change notification settings - Fork 4
AWS credentials #4
Comments
The credentials map can contain IAM credentials - i.e. The repository is a little askew right at this moment, but Eulalie 0.5.0 (a dependency of Fink-Nottle) supports retrieval of the instance credentials for an explicit role, or the default IAM role: see source here. |
It's briefly mentioned in this blog post. I'm writing more thorough documentation for the upcoming 1.0.0 release. |
Not exactly....I see I can pass credentials and it will work. I was wondering if I can not pass credentials at all. Since the app will be on an EC2 instance, it should be able to connect to sqs via an IAM profile setup for the instance instead of via credentials. |
Maybe it's a terminology thing - I'm using credentials in the generic sense. An access/secret key pair doesn't necessarily identify a root account - when communicating with AWS at the service level, an IAM role-specific access/secret key (generally tied to a token, with expiry information - unlike root credentials) can be used in place of a root account access/secret key. I'm not aware of any other means of telling an AWS service exactly which IAM role you're trying to use. See, e.g. InstanceProfileCredentialsProvider in the AWS Java SDK, which is a default mechanism for retrieving account information when no explicit credentials are provided. While the Java SDK, and some others, will opaquely retrieve the default credentials for the instance via the EC2 instance metadata service, they are merely retrieving values which can be used in place of an access key & secret key (though with delimited scope, and delimited time, which makes them far superior to using root credentials). As this happens quietly, it could give the appearance that a secret key & access key aren't actually being used. I didn't want to support implicit retrieval, which is why I mentioned |
For expiring credentials, one should now create a creds value using `eulalie.creds/iam`. Closes nervous-systems#4.
Is there another way to get a channel other than passing credentials?
Just asking since AWS seems to recommend against passing an access key to an app, preferring IAM roles instead.
http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
Not saying there's anything wrong here for sure, just trying to get an understanding first.
Thanks!
The text was updated successfully, but these errors were encountered: