-
Notifications
You must be signed in to change notification settings - Fork 226
Default empty constructor for AmazonS3Client (and others) #11
Comments
I'm afraid that I don't understand your point, val s3 = S3() // = S3(Credentials.defaultEnv) For instance, following environment variables are available, they will be loaded by default.
Isn't it enough? |
When you're running on an ec2 instance, the IAM role of the instance can grant it access to S3 resources even when the AWS env vars aren't set. The default constructor for AWScala fails if the env vars aren't set.
|
Thank you for your kind explanation. I got it. I didn't know about it but it's pretty cool. |
Gladly! It's very useful-- please add it in! |
Now we can read EC2 instance profiles. Would you try this out? resolvers += "Sonatype OSS Snapshots" at "https://oss.sonatype.org/content/repositories/snapshots"
libraryDependencies += "com.github.seratch" %% "awscala" % "0.2.0-SNAPSHOT" |
The
Checking the AWS SDK javadoc here, if you pass in the cred param it won't fallback to the IAM role. Also, the default behavior is to check the env vars anyway, so it may be advantageous to let the java layer do the lifting there. I can look into a fix and submit a pull request if you'd like. |
I see.
Yes, please! Currently, AWScala expects different environment varibales ( |
This is a big problem, IAM roles are common, not using them is a very bad practice |
I've just implemented a fix, pull request coming in a jiffy |
So I've discovered that my fix isn't really a complete fix. Even though DefaultAwsCredentialsProviderChain is now used by deafult, awscala grabs the credentials once and then holds them forever. This doesn't work for IAM roles, because the credentials are regularly invalidated and regenerated, so once this happens once the credentials held by awscala stop working. @seratch can you please reopen and I will write a real fix and create a PR. |
…essed up when IAM Role credentials expire; fixes seratch#11
…essed up when IAM Role credentials expire; fixes seratch#11
…essed up when IAM Role credentials expire; fixes seratch#11
From version 0.5.0 onward the default constructors of all clients in AWScala use the DefaultAWSCredentialsProviderChain, which will fallback to IAM role as the last choice in its chain. They will also automatically refresh IAM role credentials so they don't get stuck with expired ones. |
In some circumstances, leveraging the default constructor for the java S3 client is more appealing than the default constructor provided in AWScala.
Both default constructors look for credentials stored in system properties. However, the scala API fails if the parameters aren't present. The java API won't fail. And if you're running the code on an EC2 instance with an IAM role that grants permissions to S3 buckets, you'll be in the clear. See http://blogs.aws.amazon.com/security/post/Tx1XG3FX6VMU6O5/A-safer-way-to-distribute-AWS-credentials-to-EC2
At the moment, this is how I initialize my S3 client.
Can we add more direct support for the default constructors of the underlying java APIs?
The text was updated successfully, but these errors were encountered: