Configuration file equivalent of `AWS_SESSION_TOKEN`
simonw opened this issue · comments
Litestream configuration files currently support the following two S3 credential settings:
access-key-id: AKIAxxxxxxxxxxxxxxxx
secret-access-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx
There is a third setting needed for some AWS credentials - the session token. This is required when working with time limited credentials created using the STS.AssumeRole() mechanism.
My s3-credentials tool can be used to create these like so:
% s3-credentials create static.niche-museums.com --duration 15m
Assume role against arn:aws:iam::462092780466:role/s3-credentials.AmazonS3FullAccess for 900s
{
"AccessKeyId": "ASIAWXFXAIOZPAHAYHUG",
"SecretAccessKey": "Nrnoc...",
"SessionToken": "FwoGZXIvYXd...mr9Fjs=",
"Expiration": "2021-11-11 03:24:07+00:00"
}
The obvious design here would be an optional session-token
configuration property in the Litestream configuration that would work like this:
access-key-id: AKIAxxxxxxxxxxxxxxxx
secret-access-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx
session-token: FwoGZXIvYXd...mr9Fjs=
It turns out Litestream DOES pick up the AWS_SESSION_TOKEN
environment variable, if it is present - so the workaround for this missing feature right now is to run Litestream like so:
AWS_ACCESS_KEY_ID="..." \
AWS_SECRET_ACCESS_KEY="..." \
AWS_SESSION_TOKEN="..." \
litestream replicate fruits.db s3://my-bucket/fruits.db
It looks like this works because the underlying aws/aws-sdk-go
library picks that up: https://github.com/aws/aws-sdk-go/blob/e2d6cb448883e4f4fcc5246650f89bde349041ec/aws/credentials/env_provider.go#L66
For completeness this key should indeed be added.