sdap-nexus
sdap-nexus copied to clipboard
apache
SDAP-517 - Credential management for AWS collections
This PR augments the configurations of Zarr (and eventually future) collections.
Initially, collections in non-public S3 buckets needed to be provided an Access Key ID and Secret Access Key pair:
config:
aws:
accessKeyID: <secret>
secretAccessKey: <secret>
public: false
Obviously, this is not ideal as long-term AWS keys are not only directly stored, but also need to be maintained by end users. This PR allows more options in defining AWS credentials.
Profiles
You can use credentials defined in AWS named profiles:
config:
aws:
profile: <profile name>
NASA DAAC Temporary S3 credentials
NASA DAACs make their data available for direct S3 access for running in the us-west-2 region. You can utilize this by specifying the credential endpoint or by picking from a list of predefined DAACs.
NOTE: This only works if running in the us-west-2 AWS region. A check will be made to see in SDAP is running in that region and these collections will be excluded if not
config:
earthdata:
endpoint: https://api.giovanni.earthdata.nasa.gov/s3credentials
config:
earthdata:
daac: podaac
An Earthdata login is required for this. Provide either EDL_USERNAME and EDL_PASSWORD environment variables or specify the login on a per-collection basis:
config:
earthdata:
daac: gesdisc
edl_username: <user>
edl_password: <pass>
Predefined DAACs:
- podaac
- podaac-swot
- gesdisc
- lpdaac
- obdaac
- nsidc
- laads
- asfdaac
- asfdaac-sentinel1
