Allow AWS provider to be defined without secret/key in order to assume instance credentials

[miq-bot]

The AWS Ruby SDK v3 states the following order of credential usage for service interaction.

The SDK searches the following locations for credentials:

• ENV['AWS_ACCESS_KEY_ID'] and ENV['AWS_SECRET_ACCESS_KEY']
• Unless ENV['AWS_SDK_CONFIG_OPT_OUT'] is set, the shared configuration files (~/.aws/credentials and ~/.aws/config) will be checked for a role_arn and source_profile, which if present will be used to attempt to assume a role.
• The shared credentials ini file at ~/.aws/credentials (more information)
• Unless ENV['AWS_SDK_CONFIG_OPT_OUT'] is set, the shared configuration ini file at ~/.aws/config will also be parsed for credentials.
• From an instance profile when running on EC2, or from the ECS credential provider when running in an ECS container with that feature enabled.
• If using ~/.aws/config or ~/.aws/credentials a :profile option can be used to choose the proper credentials.

If a user were to run ManageIQ on an EC2 instance that had the appropriate instance profile defined (Instance Profile = IAM Role for an EC2 instance, rather than a user), no credentials would be required to add an AWS Cloud Provider to ManageIQ (assuming all interaction with AWS is done via Ruby SDK).

Currently ManageIQ requires a user to hard code a secret and key combination when defining an AWS Provider, which is a poor choice for security reasons (forces manual rotation of keys, passing the secrets in the clear in order to enter them, etc..). Allowing an instance profile to be used would remove the need for ManageIQ to store / maintain AWS-related credentials, and reduce the overall threat vector that comes with storing those secrets (keys are temporary, and rotated automatically).

As the AWS Ruby SDK already supports this functionality, when ManageIQ calls the SDK, simply not providing a secret or key should allow the SDK to cycle through the above listed options for obtaining credentials. I would request this feature / change to allow the definition of an AWS provider without specifying credentials, and when none are specified ManageIQ functionality should not attempt to pass any credentials to the SDK.

---

This issue was moved to this repository from ManageIQ/manageiq#17709, originally opened by @namebrandon

[miq-bot]

This issue has been automatically marked as stale because it has not been updated for at least 6 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions!

[JPrause]

@namebrandon is this still a valid issue? If yes, let me know and I'll remove the stale label. If not can you close. If there's no update by next week, I'll be closing this issue.

[mikepietruszka]

@namebrandon is this still a valid issue? If yes, let me know and I'll remove the stale label. If not can you close. If there's no update by next week, I'll be closing this issue.

I would say that this is still a valid issue.

[miq-bot]

This issue has been automatically marked as stale because it has not been updated for at least 3 months.

If you can still reproduce this issue on the current release or on master, please reply with all of the information you have about it in order to keep the issue open.

Thank you for all your contributions! More information about the ManageIQ triage process can be found in the traige process documentation.