-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Credentials from EC2 Instance Metadata #49
Comments
Is that how the Ruby client doesn't require AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY when running from an instance in AWS? I came to ask for a feature: don't require AWS_*_KEYS when running from a machine in AWS. |
Indeed. For Erlang, I wrote https://github.com/jkakar/aws-erlang-metadata to do this. It'd be nice to replicate this for Elixir. |
So I wrote some code to query the AWS metadata url and fill in the AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY... and it didn't work. I mean, the keys had the wrong IAM permissions. Here's the code: def add_credentials(options, :meta) do
path = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
creds = with {:ok, response} <- HTTPoison.get(path),
{:ok, response} <- HTTPoison.get("#{path}#{response.body}"),
{:ok, creds} <- Poison.decode(response.body) do
creds
else
_ -> %{}
end
options
|> put_new(:access_key_id, creds["AccessKeyId"])
|> put_new(:secret_access_key, creds["SecretAccessKey"])
end The returned The permission problem may be on my end; I'm not entirely sure how permissions work in ECS. I know that both an ECS instance and ECS service get an IAM role. |
I wrote and published this: https://github.com/uberbrodt/ex_aws_metadata I tested it with AWS Elasticsearch and it worked. I plan to contribute a pull request to add it an option to this project when I have the time. |
@uberbrodt Sorry for taking so long to respond, but that looks great! I'd love to see a pull request to merge it here or to update the README to make it more easily discoverable to users of aws-elixir. |
It would be great if the client would optionally pull credentials from EC2 instance metadata at the least, or optimally mimic the default credential provider chain:
http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#using-the-default-credential-provider-chain
The text was updated successfully, but these errors were encountered: