js-ceramic icon indicating copy to clipboard operation
js-ceramic copied to clipboard

Published 20 hours ago verified publisher icon ceramicnetwork

chore(ipfs-daemon): outline potential solution for role based S3 access

Open 0xm1kr opened this issue 3 years ago • 6 comments

This PR is to open a discussion regarding the use of role based access over accessKeyId and secretAccessKey. During our node deployment we encountered the issue that if we do not explicitly set an accessKeyId and secretAccessKey then the create-repo will throw the Expect AWS credentials error. This shouldn't really be the case because many deployments will have a role attached to the instance which contains the proper security policies, in fact, this is preferable to passing in credentials over environment variables from a security perspective.

I believe this code is close, however, it hasn't been fully tested and it needs refactoring to convert the createRepo function into an async function.

Let me know what you think and we can work toward a full implementation. It may have some large downstream impacts so I didn't want to go through the effort of a full solution if it doesn't make sense or if there is a better solution.

For the time being we simply created a new user/role (ceramic-state-s3-access) to generate keys specifically for this purpose and pass them in with custom environment variables which we manually pass in to the configuration object.

0xm1kr avatar Sep 07 '21 17:09 0xm1kr

this looks directionally reasonable to me, though I'm not super familiar with the AWS APIs. Adding @v-stickykeys and @smrz2001 to take a look

stbrody avatar Sep 07 '21 17:09 stbrody

Yes this looks correct to me but want to ensure I understand how it works. So with this code the AWS sdk grabs creds from the normal places? ~/.aws and env vars?

Correct, I think there are actually six different ways it can obtain credentials. See: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html

For our purposes we are attaching a role to our ECS Fargate containers: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role

0xm1kr avatar Sep 08 '21 18:09 0xm1kr

@v-stickykeys @smrz2001 Any opinion on what to do about the PR?

ukstv avatar Jun 27 '22 14:06 ukstv

I'll take a look @ukstv @stbrody, we can potentially merge it in this week, I think. Looks fairly straightforward, just need to test it a bit.

smrz2001 avatar Jun 28 '22 13:06 smrz2001

How are things going @smrz2001 ?

ukstv avatar Oct 21 '22 13:10 ukstv

How are things going @smrz2001 ?

Hehe, yeah, @ukstv, this one's been pending for a long time. Will take care of it this/next cycle.

smrz2001 avatar Oct 21 '22 13:10 smrz2001