[AdvancedAmazonS3] Use IAM Instance Roles instead of AccessKeys !! Please

Forge Component
(25)
Published on 2018-10-09 by Hanno
25 votes
Published on 2018-10-09 by Hanno

Hi,

Our team has recently install this S3 access plugin. While the plugin works and allow S3 access it does require an AccessKey to be managed. AccessKey can leak and they also age.


Can you guys leverage the IAM Instance Role when running from an EC2 Instance?

Normally, in the API if they key is not there it should revert to default IAM role.. you can simply allow no keys and if no keys you might use the default connection to the api.

I propose to change the code in the AdvancedAmazonS3.cs to replace the current blocks in every functions to use a global function to initialize the AmazonS3 client.


code as follow;

        /// <summary>

        ///  use this line in your code:            AmazonS3 client = getAmazonS3Client(sstoken, ssuseProxy, ssproxyDetails);

        /// </summary>

        /// <param name="sstoken"></param>

        /// <param name="ssuseProxy"></param>

        /// <param name="ssproxyDetails"></param>

        /// <returns></returns>

        private AmazonS3 getAmazonS3Client(RCAmazonTokenRecord sstoken, bool ssuseProxy, RCProxyDetailsRecord ssproxyDetails)

        {

            AmazonS3 client;


            if (ssuseProxy && IsValidProxyDetails(ssproxyDetails))

            {

                AmazonS3Config config = new AmazonS3Config();

                config.ProxyHost = ssproxyDetails.ssSTProxyDetails.ssServer;

                config.ProxyPort = ssproxyDetails.ssSTProxyDetails.ssPort;

                config.ProxyCredentials = new NetworkCredential(ssproxyDetails.ssSTProxyDetails.ssUsername, ssproxyDetails.ssSTProxyDetails.ssPassword);

                if (sstoken.ssSTAmazonToken != null)

                    client = AWSClientFactory.CreateAmazonS3Client(config);

                else

                    client = AWSClientFactory.CreateAmazonS3Client(sstoken.ssSTAmazonToken.ssAccessKey, sstoken.ssSTAmazonToken.ssSecretKey, config);

            }

            else

            {

                if (sstoken.ssSTAmazonToken != null)

                    client = AWSClientFactory.CreateAmazonS3Client();

                else

                    client = AWSClientFactory.CreateAmazonS3Client(sstoken.ssSTAmazonToken.ssAccessKey, sstoken.ssSTAmazonToken.ssSecretKey);

            }


            return client;

        }



Then replace the block of code in each function with a single line;

AmazonS3 client = getAmazonS3Client(sstoken, ssuseProxy, ssproxyDetails);


Also make the token not mandatory. This should allow to use the IAM Instance Roles instead of AccessToken when running on an EC2 instance.