S3 resources should not require credentials

not-a-bug

(Sebastien Requiem) #1

When fetching or publishing a resource from s3, one needs to configure the s3 resource like so

maven {
        url "s3://someS3Bucket/maven2"
        credentials(AwsCredentials) {
            accessKey "someKey"
            secretKey "someSecret"
        }
    }

A few concerns here : this code doesn’t support the STS token that AWS IAM can generate for temporary requests and due to the nature of the build.gradle file (static file), we may want to skip the requirement (thus, making it optional) for AwsCredentials. This would force the S3Client to fallback to the environment variable AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and optionally AWS_SECURITY_TOKEN that may be fetched at build time.

I would be happy to submit a PR since I have it working locally already.

Let me know

Gradle Version: 3.1-SNAPSHOT-1
Operating System: Mac OS X
Is this a regression? no


(Sebastien Requiem) #2

Btw, I would also be happy to do the extra work and add an option token in the AWSCredential to support it.

The use case that I have is that – using the plugin vault, I can fetch STS tokens that expire within an hour. Quite handy to never rely on fix AWS Keys.

Cheers (and congrats for the kotlin support. I am :heart_eyes:'ing it)


(Stefan Wolf) #3

Hi Sebastian,

we are aware of this limitation of the AWSCredential support. See this discussion on the dev list. Having said that, we would be more than happy if you could provide a PR adding support for an extra option token. You would need to implement this story in the design doc (or part of it).

Best regards,
Stefan


(Sebastien Requiem) #4

Hej Stefan,

thanks for pointing me to the right direction :railway_track:
Will get back to you when progress is made on my side about that story.

Cheers,


(Sebastien Requiem) #5

For the ones interested in this particular change, I have submitted a PR in Github

The discussion will continue there.