Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support loading AWS credentials from AWS profiles #2786

Closed
rgueldem opened this issue Oct 14, 2020 · 6 comments
Closed

Support loading AWS credentials from AWS profiles #2786

rgueldem opened this issue Oct 14, 2020 · 6 comments
Assignees
@ashutosh-narkar
Labels
feature-request

Comments

@rgueldem
Copy link

rgueldem commented Oct 14, 2020
edited
Loading

AWS supports storing credentials on disk and loading them into the AWS CLI as well as their SDK. We use that setup to integrate with S3 for our services and it would be great if OPA would be able to ingest these credentials as well instead of relying on environment variables.

Note, that the SDK profile credential provider supports rotation of credentials.

Expected Behavior

Ability to configure service credentials for S3 by referencing an AWS profile or by using the default AWS profile if none is set. Support for rotation of short-living credentials without restarts.

Actual Behavior

Need to pass in secrets via environment variable to set s3_signing option. Need to restart OPA when short-living credentials expire.

Steps to Reproduce the Problem

n/a

Additional Info

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/index.html?com/amazonaws/auth/profile/ProfileCredentialsProvider.html
https://docs.aws.amazon.com/sdk-for-go/api/aws/credentials/#NewSharedCredentials
@anderseknert
Copy link
Member

@olamiko would you want to work on this?

@olamiko
Copy link
Contributor

olamiko commented May 24, 2021

@anderseknert, yes, I will like to work on this issue. Please assign me

@anderseknert anderseknert assigned olamiko and unassigned olamiko May 24, 2021
@rgueldem
Copy link
Author

Hi team, are there any plans to implement this in the near to mid term? It would simplify our key rotation process since we currently need to restart our agents every 12 hours to refresh the credentials.

@tsandall
Copy link
Member

@rgueldem we can prioritize this over the next few weeks. We should be able to land this in December.

@ashutosh-narkar ashutosh-narkar self-assigned this Nov 18, 2021
ashutosh-narkar added a commit to ashutosh-narkar/opa that referenced this issue Nov 24, 2021
@ashutosh-narkar
plugins: Add new credential provider for AWS credential files
e854703 
Earlier users could provide sensitive values such as AWS
secret keys using environment variables. This change adds
a new AWS credential provider which reads the credential file
to fetch credentials for a named profile. If no profile is
provided, the "default" profile is used. OPA reads the
credentials from the file on each request and uses them
for authentication.

Fixes: open-policy-agent#2786

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@ashutosh-narkar
Copy link
Member

@rgueldem it would be great to get your feedback on these changes. It would be good to know if they address your use-case.

srenatus added a commit to srenatus/opa that referenced this issue Dec 1, 2021
@ashutosh-narkar @srenatus
plugins/rest/aws: Add new credential provider for AWS credential files
7d73d52 
Earlier users could provide sensitive values such as AWS
secret keys using environment variables. This change adds
a new AWS credential provider which reads the credential file
to fetch credentials for a named profile. If no profile is
provided, the "default" profile is used. OPA reads the
credentials from the file on each request and uses them
for authentication.

Fixes: open-policy-agent#2786

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Co-authored-by: Stephan Renatus <stephan.renatus@gmail.com>
@rgueldem
Copy link
Author

rgueldem commented Dec 1, 2021
edited
Loading

@rgueldem it would be great to get your feedback on these changes. It would be good to know if they address your use-case.

Thanks! Going by the description this should work for us. I am a little concerned about the performance impact of reloading the file on each request. (Sorry, I just realized it loads them for each request to S3, which is perfect.) I will report back in case we see any issues after upgrading and applying the new config.

@mbamber mbamber mentioned this issue Jul 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ashutosh-narkar ashutosh-narkar

Labels
feature-request
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tsandall @rgueldem @anderseknert @ashutosh-narkar @patrick-east @olamiko