django-secrets-manager icon indicating copy to clipboard operation
django-secrets-manager copied to clipboard

Published 20 hours ago verified publisher icon LeeHanYeong

IAM roles support

Open n6g7 opened this issue 5 years ago • 4 comments

Hi there,

This is great idea, thanks for working on this!

I'm hosting my application(s) on AWS and would rather authenticate with IAM roles than with API keys, any chance you could support this?

I can probably send a PR if you're interested. :)

n6g7 avatar Dec 18 '19 15:12 n6g7

Hello. Thank you for the suggestion.

I'm not using an IAM role, so I don't know exactly about it, but from the boto3 documentation, it seems that boto3 will automatically get credentials from EC2 even if there is no configuration at session creation.

So I changed the point at which the CredentialsNotExists() exception occurred when the result of the get_credentials() method call in Session was None. Commit: 3ef983934795fb5137fe1a17acb7cb6dd9411403

If you are interested in this project, I would appreciate if you could check if this library works in your EC2.

Thank you.

ps) If there is something else that needs to be modified for the operation, please send me a PR and I will actively review it.

LeeHanYeong avatar Jan 30 '20 11:01 LeeHanYeong

When used with a Lambda and deployed via Zappa, you get this error:

[ERROR] ClientError: An error occurred (UnrecognizedClientException) when calling the GetSecretValue operation: The security token included in the request is invalid.

This happens because the code loads AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from the environment variables and creates the session using those while there is a AWS_SESSION_TOKEN and causes the error when trying to access the secrets. To prevent this behaviour, I've added this in the settings:

# Hack to prevent loading wrong credentials
SECRETS.access_key_names = ()
SECRETS.secret_key_names = ()

Maybe there could be an option to prevent loading these env variables at initialising AWSSecretsManagerSecrets?

ampuerod avatar Apr 12 '21 17:04 ampuerod

Hi there,

This is great idea, thanks for working on this!

I'm hosting my application(s) on AWS and would rather authenticate with IAM roles than with API keys, any chance you could support this?

I can probably send a PR if you're interested. :)

Hey @n6g7 did you get anywhere with this? I would be willing to help as well. I have a working version for a fast-api project that uses boto3 with iam permissions (no keys etc required) and aws-secretsmanager-caching-python to boot performance (note there are a few reported issues with python-3.12).

I noticed that other django modules like storage work with iam policies so it would be nice to get this package to do the same.

Let me know if you'd be keen to collaborate (It has been a while since this issue was opened)

devraj avatar Mar 06 '24 21:03 devraj

@devraj I never got around to building this and am not using Django anymore recently, sorry.

n6g7 avatar Mar 16 '24 06:03 n6g7