Support for IAM Instance profile credentials

Question

Support for IAM Instance profile credentials

jwilmoth opened this issue 9 years ago · comments

I'd like to propose adding support for AWS IAM instance profile based credentials in addition to the options captured on http://beanstalker.ingenieux.com.br/beanstalk-maven-plugin/security.html. (i.e. using http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/InstanceProfileCredentialsProvider.html). This could be as simple as adding a backstop to attempt to instantiate a InstanceProfileCredentialsProvider in the AbstractAWSMojo.getAWSCredentials() method implementation if the existing mechanism aren't set. This could also be explicitly controlled with a common property.

Aldrin Leal · Answer 1 · Wed Sep 23 2015 14:05:53 GMT+0800 (China Standard Time)

Sure, I'm open to pull requests.

Start with this and perhaps this

Thank you

manthram · Answer 2 · Fri Sep 25 2015 02:53:39 GMT+0800 (China Standard Time)

I submitted a pull request to get credentials using ProfileCredentialsProvider. InstanceProfile is only valid if you are running within AWS, wont work if you are trying to test locally. probably need both in there

Aldrin Leal · Answer 3 · Wed Sep 30 2015 16:34:25 GMT+0800 (China Standard Time)

Sure, I merged.

Actually, IAM Profiles (the ones for EC2) are interesting to revisit, since build slaves on AWS are quite common nowadays.

jwilmoth · Answer 4 · Tue Nov 03 2015 02:16:57 GMT+0800 (China Standard Time)

I was able to run this and unfortunately I think the use of the ProfileCredentialProvider needs some additional checks. Running on an AWS EC2 instance where only the IAM instance profile is expected to be present I get the following error:

Caused by: java.lang.IllegalArgumentException: AWS credential profiles file not found in the given path: /home/rzttib/.aws/credentials
10:11:34 at com.amazonaws.auth.profile.internal.ProfilesConfigFileLoader.loadProfiles(ProfilesConfigFileLoader.java:45)
10:11:34 at com.amazonaws.auth.profile.ProfilesConfigFile.loadProfiles(ProfilesConfigFile.java:194)
10:11:34 at com.amazonaws.auth.profile.ProfilesConfigFile.(ProfilesConfigFile.java:119)
10:11:34 at com.amazonaws.auth.profile.ProfilesConfigFile.(ProfilesConfigFile.java:93)
10:11:34 at com.amazonaws.auth.profile.ProfileCredentialsProvider.getCredentials(ProfileCredentialsProvider.java:149)
10:11:34 at br.com.ingenieux.mojo.aws.AbstractAWSMojo.getProfileEntry(AbstractAWSMojo.java:216)
10:11:34 at br.com.ingenieux.mojo.aws.AbstractAWSMojo.getAWSCredentials(AbstractAWSMojo.java:183)
10:11:34 at br.com.ingenieux.mojo.aws.AbstractAWSMojo.setupService(AbstractAWSMojo.java:374)

Aldrin Leal · Answer 5 · Fri Nov 20 2015 06:22:40 GMT+0800 (China Standard Time)

@jwilmoth, I decided to opt for the SDK's official stance. See if the latest changes make sense to you

Thank you

jwilmoth · Answer 6 · Sat Nov 21 2015 05:38:56 GMT+0800 (China Standard Time)

@aldrinleal Yep. The credential chain looks like just the thing that's needed.