Add support for temporary credentials

[albertleao]

Unless I'm missing something, this library doesn't support temporary credentials. You can follow how to do it here: https://stackoverflow.com/questions/18884683/browser-uploads-to-s3-with-instance-roles

[eddturtle]

Hi Albert, just so I'm clear, what would the temporary credentials allow you to do that you can't do now? I'm just thinking that the credentials you use with this package aren't sent over the wire as it is.

[albertleao]

When using temporary credentials you also receive a session token which isn't available when hard coding credentials. From what I was told via my prolonged conversations on Stack Overflow is that the the session token needs to be used when creating the policy on the backend.

Using the temporary credentials prevents users from hard coding account keys into their codebase.

[albertleao]

Just realized I had already posted the link in my first post... I'm a little tired! :)

If you see the link in the example, the security token is passed into the policy before signing.

[albertleao]

@eddturtle Did this make sense?

[eddturtle]

Hi, I'm still trying to wrap my head around the advantage of this. Just because the code accepts YOUR_S3_KEY and YOUR_S3_SECRET doesn't mean you need to hard code your credentials. Most apps will use a "12 factor approach" and store the config in something like environment variables to prevent the sensitive info being in your code base. The details are also not sent across to amazon, a signature is generated instead. The details are also not shown to the client in the browser. So, what's the problem you're trying to solve? (as apose to just wanting it)

The only advantage in using tokens from the stack overflow post I can see is their temporary.

[albertleao]

Hey Edd, Good points.

You can pass in environment variables to your instances in beanstalk or opsworks and then retrieve them in your instance to use with this library, but this is not the recommended or most secure approach.

The recommended by amazon approach consists of using temporary credentials provided by your instance. This way, you're not hard coding root credentials or using root credentials as environment variables which inherently has security risks.

By using temporary credentials from your instance, you can manage your instances using AWS IAM profiles. These temporary credentials are automatically rotated for you, maintain the permissions set by your IAM profile attached to your instance, and also keep your environment variables cleaner as you won't have a set of temporary credentials AND your custom environment variables if you're passing in root credentials.

There are quite a few advantages with using temporary credentials from security to manageability. After speaking with an Amazon rep, they insisted that I always use libraries that support the temporary credential method to avoid passing in credentials via the environment myself and letting ec2 and IAM handle the permissions.

Hope I made sense.

[eddturtle]

Thanks for the update, it was actually helpful to have that explination. I'm pretty swampped for time at the moment - but will look into this shortly.

[weeeelye]

Hi, hopefully this will help someone: You can use the AWS CredentialProvider to generate the temporary credentials (key,secret and as well as the security token), then attach "X-amz-security-token" header with security token as opts and create signature.

[eddturtle]

Thanks for the update @weeeelye - looks like useful info