Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Credentials from EC2 Instance Metadata #49

Open
stocks29 opened this issue Dec 9, 2016 · 5 comments
Open

Credentials from EC2 Instance Metadata #49

stocks29 opened this issue Dec 9, 2016 · 5 comments

Comments

@stocks29
Copy link

stocks29 commented Dec 9, 2016

It would be great if the client would optionally pull credentials from EC2 instance metadata at the least, or optimally mimic the default credential provider chain:

http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#using-the-default-credential-provider-chain

@cjbottaro
Copy link

Is that how the Ruby client doesn't require AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY when running from an instance in AWS?

I came to ask for a feature: don't require AWS_*_KEYS when running from a machine in AWS.

@jkakar
Copy link
Owner

jkakar commented Jul 19, 2017

Indeed. For Erlang, I wrote https://github.com/jkakar/aws-erlang-metadata to do this. It'd be nice to replicate this for Elixir.

@cjbottaro
Copy link

So I wrote some code to query the AWS metadata url and fill in the AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY... and it didn't work. I mean, the keys had the wrong IAM permissions.

Here's the code:

  def add_credentials(options, :meta) do
    path = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"

    creds = with {:ok, response} <- HTTPoison.get(path),
      {:ok, response} <- HTTPoison.get("#{path}#{response.body}"),
      {:ok, creds} <- Poison.decode(response.body) do
      creds
    else
      _ -> %{}
    end

    options
      |> put_new(:access_key_id, creds["AccessKeyId"])
      |> put_new(:secret_access_key, creds["SecretAccessKey"])
  end

The returned options is a Map that gets turned into an Aws.Client struct.

The permission problem may be on my end; I'm not entirely sure how permissions work in ECS. I know that both an ECS instance and ECS service get an IAM role.

@uberbrodt
Copy link

I wrote and published this: https://github.com/uberbrodt/ex_aws_metadata

I tested it with AWS Elasticsearch and it worked. I plan to contribute a pull request to add it an option to this project when I have the time.

@jkakar
Copy link
Owner

jkakar commented Dec 22, 2017

@uberbrodt Sorry for taking so long to respond, but that looks great! I'd love to see a pull request to merge it here or to update the README to make it more easily discoverable to users of aws-elixir.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants