Bucket Access with IAM role

[damc-dev]

Best practice is to use IAM role provided for S3 client access instead of providing access and secret keys.
Since S3 client instantiation provides explicit access and secret keys it takes precedence over IAM Role.
Should be fixable by not passing in the access and secret keys if environment variable is not set.

[QingWei-Li]

Can you tell me exactly what to do, sorry I don’t understand IAM.

[okdas]

@QingWei-Li I believe @damc-dev refers to how AWS API keys are getting populated. In AWS world, it is not necessary to provide AWS keys, but AWS SDK will pick up the role/instance profile/EKS-IRSA automatically. https://github.com/aws/aws-sdk-js-v3/tree/main/packages/credential-provider-node#aws-credential-provider-for-nodejs

I have not tested how notea behaves in this scenario. :)

[dcampoyil]

@QingWei-Li I can see this project is using already the aws-sdk as S3 client. I believe that if you make STORE_ACCESS_KEY and STORE_SECRET_KEY optional and don't add the credentials field when there are undefined, then aws-sdk will be able to pick the AWS credentials up from the role/instance profile/EKS-IRSA automatically.

Happy to help with code or testing if you want.

[QingWei-Li]

@dcampoyil Thanks! It would be better if you could help, I'm sorry I don't have time to study this yet