S3 mapping with IAM Role

Juan_Aguilar · October 24, 2019, 8:36pm

I have a number of S3 mappings which had the accesskeyid and awssecretkey embedded in the mapping definition URL. But the EC2 instance which hosts my application has an IAM role which permits the server to access the S3 buckets without specifying credentials.

Does Lucee support this or does an S3 connection always require an accesskeyid and awssecretkey to be present either in the URL, application, or environmental variables?

ddspringle · October 28, 2019, 12:47pm

Hey Juan,

My inclination would be to say ‘no’ that configuration is not supported. Under the hood Lucee (and ACF) use a java implementation of the AWS API for S3 services, so are likely to require the accessKeyId and awsSecretKey be specified. That said, you can try it without specifying this data and see if it works, but I doubt it will.

HTH

– Denny

pfreitag · October 28, 2019, 1:56pm

I don’t think it does, but I usually use the AWS Java SDK’s instead of the builtin CF stuff. Ideally Lucee should use the standard AWS Credential Search order, checks Environment Variables, etc: Provide temporary credentials to the AWS SDK for Java - AWS SDK for Java 1.x because the way it works now leads people to hard code the keys.

When you use an assumed role, you still have an accessKey and secretKey it is just that most AWS tools know where to look for them automatically. They are accessible from the instance metadata URL which can be hit by a cfhttp from inside your instance and used to populate the variables. Eg: http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name docs: Instance metadata and user data - Amazon Elastic Compute Cloud

Pete Freitag
Foundeo Inc.

Terry_Whitney · October 29, 2019, 1:28pm

There are plenty of ways to mount an s3 bucket using the os, which for performance reasons alone you should use.

Once you have mounted that, you can use Coldfusion to do what ever manipulation to the file system as required.

mattlevine · July 25, 2023, 4:26pm

The thing I don’t understand here is that you can get the credentials from:

http://169.254.170.2#$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

Are those credentials not useful? I can get them and during onServerStart and them available during onApplicationStart.

Roberto_Marzialetti · July 25, 2023, 4:42pm

mattlevine · July 25, 2023, 5:11pm

A coworker found that in order to use the role based credentials you have to also pass along the session token that is also provide in the credentials endpoint.

@Roberto_Marzialetti The URL that I provided is only accessible from within the ECS task. $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is an env variable that AWS automatically provides the service tasks RoleArn, AccessKeyId, SecretAccessKey and Token.

It’s looking like the fact that lucee’s extension doesn’t support using the Token is the issue.

At least that’s what we’re thinking now.