Support AWS IAM Role/Instance Profile Discussion

[linusguan]

Hello and happy new year,

I know this has been discussed before but I'd like to bring this up again because it is a show stopper for us and upon research it have been the same for quite a few Concourse adopters too so I think it warrants a new open minded discussion. I really want more users to be able to adopt and use concourse.

Just a quick intro for anyone that is not familiar with AWS security. Using access key and secrets for a server to access AWS resources is a huge red flag when you are being reviewed by cyber security. The reason is that access key and secret pair is designed for human users for making calls using their local machine not for production servers.
For servers on premise or on AWS, AWS Security Token Service should be used and IAM Role(Instance Profile is a container for an IAM Role to be assigned to a EC2 VM) is an incarnation of that. IAM Role increases security by passing you a temporary credential for each api call and it will rotate the temporary credential from every 1 hour to every 12 hours (configurable).

This feature request is not about couple services into any vendor's infrastructure, it is about following security best practice when you do support a new resource no matter if it is from Cloud Foundry or AWS or others.

As for difficulty of implementing it, AWS Go SDK handle all these logic for you so it is really a low hanging fruit. I can see there are a couple of PRs for it already although not merged. Plus Concourse's Credential management backed by Amazon SSM or Amazon Secrets Manager has implemented support for IAM role so we can reference that too.

Thanks for reading this and happy to help where I can.

[vito]

Thanks for the feedback! I hear ya - I actually opened concourse/concourse#3023 just recently to reopen discussion around IAM roles. Mind if I close this to centralize the discussion there? That issue also has a proposal which might fit your needs.

Thanks again!