STS/IAM Role Credentials for S3 Maven Repository


(Andrew Matheny) #1

Our companies access to AWS resources uses STS credentials instead of the standard accessKey/secretAccessKey. These credentials include an additional field used for session information. This is also the way that credentials that come from an IAM role work.

Is there any way to make this work with the existing maven S3 support? I didn’t see any way of providing additional credential types in the documentation. The standard credential provider used by the AWS Java sdk and CLI would be a great place to start with this.


(Mark Vieira) #2

There currently isn’t a way to configure this. In general we want to make credential management much more robust. There is an existing design document discussing exactly this and this is on our backlog of items to address in future Gradle versions.


(Andrew Matheny) #3

Thanks. I’ll be looking forward to seeing that in a future version of gradle.

Here are some features I’d like to see that weren’t explicitly listed in the design doc:

Default AWS Credentials Provider
Provide functionality that is the same as com.amazonaws.auth.DefaultAWSCredentialsProviderChain. This would be a great default that follows the same convention as the AWS CLI and SDK clients initialized without explicitly listing the credentials.

maven {
    url "s3://somewhere/over/the/rainbow"
    credentials(DefaultAWSCredentialsProvider)
}

Credential Provider Chain
A way to have a series of credentials to try. This would be useful for the case of environment variables or explicit credentials when developing locally and using IAM credentials for a CI environment running in EC2.

maven {
    url "s3://somewhere/over/the/rainbow"
    credentials(CredentialsProviderChain) [
        credentials(AwsCredentials) {
            accessKey AWS_ACCESS_KEY
            secretKey AWS_SECRET_KEY
        },
        credentials(AwsImAuthentication)
    ]
}

(vab2048) #4

Is this sorted in the latest version of Gradle?

I mean - can I now use the credentials provided by the IAM role on the EC2 instance as credentials for accessing the S3 maven repository?
If so - how?