clj-aws-s3
clj-aws-s3 copied to clipboard
weavejester
more credentials options
allow explicit creds, or use of the DefaultAWSCredentialsProviderChain if nothing is given
Please see issue #69 for an explanation of how I think this behaviour should be implemented.
@weavejester the point is that for almost all cases the AWS best practice is to supply no creds at all and let the AWS SDK determine what creds to use via whatever is deemed to be correct for the env it's running in. AWS is best placed to determine what the defaults should be. If we implement a map representation of the default chain it will inevitably diverge from AWS best practice. I recommend that we should optimize for the most common case. This would be a breaking change to the API, but I bet most users would be happy to live with it.
Hm. I've wanted to avoid using Java objects if Clojure data structures will do, but perhaps that would ultimately be more problematic. If someone wants to create a branch where a AmazonS3Client object is passed to functions, rather than a map, I'll consider it.
I also did a PR that defers to the default as @sw1nn, best practice is to use IAM roles so that should at least be possible.
This PR works well for me. We only use IAM roles and not explicit keys. The default to DefaultAWSCredentialsProviderChain is the best option.
Also worth noting that DefaultAWSCredentialsProviderChain does not include ProfileCredentialsProvider in AWS SDK 1.7.5, which is what clj-aws-s3 currently uses. That's the provider that pulls data from ~/.aws/credentials
It was added in 1.7.8; in the meantime, if you're using 1.7.5, you can do this to grab the credentials yourself:
(let [provider (->> [(DefaultAWSCredentialsProviderChain.) (ProfileCredentialsProvider.)]
(into-array AWSCredentialsProvider)
(AWSCredentialsProviderChain.))
sdk-creds (.getCredentials provider)]
{:access-key (.getAWSAccessKeyId sdk-creds)
:secret-key (.getAWSSecretKey sdk-creds)})
Note that this is subtly different; in 1.7.8+, the ProfileCredentialsProvider comes before InstanceProfileCredentialsProvider, while in my code it comes after. You can always construct the full chain yourself, instead of using DefaultAWSCredentialsProviderChain
For what it's worth, this pull request was a drop in replacement for the published clj-aws-s3 0.3.10 in my application, and is very similar to how other AWS libraries work (e.g. pass in an empty cred map and it uses the DefaultAWSCredentialsProviderChain to let the client object figure it out). One small caveat for me: I am forcing a newer version of the AWS Java SDK because of class loader conflicts with one of those other libraries, so @jffry 's comment may still hold true and I'm just not running into it. Either way, I think this (or something very similar) should be in the library as it's standard practice and the change doesn't break any other parts of the library.
