Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credentials for instance with AWS IAM role? #95

Closed
jossoco opened this issue May 11, 2015 · 6 comments
Closed

Credentials for instance with AWS IAM role? #95

jossoco opened this issue May 11, 2015 · 6 comments
Labels
new feature

Comments

@jossoco
Copy link

jossoco commented May 11, 2015

Hi,

I'm really puzzled as to how to use Slingshot on an EC2 instance with an IAM role granting it access to S3. I have tried retrieving credentials through EC2MetadataCredentials and passing them to Slingshot, but this is ineffective ("Error: Failed to upload file to cloud storage [ - 0]").

I know that the IAM role policy is correct; I can, for example, delete items from S3 with aws-sdk without configuring additional credentials.

I may be missing something obvious or completely unrelated to Slingshot, but is this something you've gotten to work before, and if so how?

Thanks!
@gsuess
Copy link
Contributor

gsuess commented May 11, 2015

Can you please inspect the POST request that is failing in your browsers developer tools? It should bring you to an XML document that contains more details on why it is failing.

@jossoco
Copy link
Author

jossoco commented May 12, 2015

The issue is that a request using temporary security credentials needs to include the session token. This fixes it.

@gsuess
Copy link
Contributor

gsuess commented May 12, 2015

Okay, please help me understand this...

From EC2MetaCredentials you get the properties accessKeyId, secretAccessKey and sessionToken, right? So how come that the signature generated from accessKeyId and secretAccessKey is not sufficient for the upload? And if you already have a sessionToken, which to my understanding is a token that provides temporary full access of the user that owns it, why would you need a signature then?

@jossoco
Copy link
Author

jossoco commented May 12, 2015

Per this doc:

You can use temporary security credentials to make programmatic requests for AWS resources using the AWS SDKs or using API calls, the same way that you can use long-term security credentials such as IAM user credentials. However, there are a few differences:

When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials.

@gsuess
Copy link
Contributor

gsuess commented May 13, 2015

Okay, so the accessKeyId and secretAccessKey are temporary too and AWS won't accept anything signed by them without the being given the corresponding sessionToken?

@jossoco
Copy link
Author

jossoco commented May 13, 2015

That is my understanding, yes.

gsuess added a commit that referenced this issue May 18, 2015
@gsuess
#95 Single getter for all temporary credentials.
c1c92bc 
Added `Slingshot.S3Storage.TempCredentials`.
gsuess added a commit that referenced this issue May 18, 2015
@gsuess
#95 Updated README
dbceecb
gsuess added a commit that referenced this issue May 18, 2015
@gsuess
#95 Fixed readme
945a459 
Removed extra bracket.
This was referenced May 18, 2015
Closed
Merged
Merged
@gsuess gsuess closed this as completed May 18, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

S3 tempory credentials CulturalMe/meteor-slingshot
2 participants
@jossoco @gsuess