Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow AWS provider to be defined without secret/key in order to assume instance credentials #17709

Closed
namebrandon opened this issue Jul 15, 2018 · 2 comments
Closed

Allow AWS provider to be defined without secret/key in order to assume instance credentials #17709

namebrandon opened this issue Jul 15, 2018 · 2 comments

Comments

@namebrandon
Copy link

The AWS Ruby SDK v3 states the following order of credential usage for service interaction.

The SDK searches the following locations for credentials:

  • ENV['AWS_ACCESS_KEY_ID'] and ENV['AWS_SECRET_ACCESS_KEY']
  • Unless ENV['AWS_SDK_CONFIG_OPT_OUT'] is set, the shared configuration files (~/.aws/credentials and ~/.aws/config) will be checked for a role_arn and source_profile, which if present will be used to attempt to assume a role.
  • The shared credentials ini file at ~/.aws/credentials (more information)
  • Unless ENV['AWS_SDK_CONFIG_OPT_OUT'] is set, the shared configuration ini file at ~/.aws/config will also be parsed for credentials.
  • From an instance profile when running on EC2, or from the ECS credential provider when running in an ECS container with that feature enabled.
  • If using ~/.aws/config or ~/.aws/credentials a :profile option can be used to choose the proper credentials.

If a user were to run ManageIQ on an EC2 instance that had the appropriate instance profile defined (Instance Profile = IAM Role for an EC2 instance, rather than a user), no credentials would be required to add an AWS Cloud Provider to ManageIQ (assuming all interaction with AWS is done via Ruby SDK).

Currently ManageIQ requires a user to hard code a secret and key combination when defining an AWS Provider, which is a poor choice for security reasons (forces manual rotation of keys, passing the secrets in the clear in order to enter them, etc..). Allowing an instance profile to be used would remove the need for ManageIQ to store / maintain AWS-related credentials, and reduce the overall threat vector that comes with storing those secrets (keys are temporary, and rotated automatically).

As the AWS Ruby SDK already supports this functionality, when ManageIQ calls the SDK, simply not providing a secret or key should allow the SDK to cycle through the above listed options for obtaining credentials. I would request this feature / change to allow the definition of an AWS provider without specifying credentials, and when none are specified ManageIQ functionality should not attempt to pass any credentials to the SDK.
@Fryguy
Copy link
Member

Fryguy commented Jul 15, 2018

@miq-bot move_issue manageiq-providers-amazon

@miq-bot miq-bot mentioned this issue Jul 15, 2018
Open
@miq-bot
Copy link
Member

miq-bot commented Jul 15, 2018

This issue has been moved to ManageIQ/manageiq-providers-amazon#463

@miq-bot miq-bot closed this as completed Jul 15, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Fryguy @namebrandon @miq-bot