Safely change AWS credentials per request about ex_aws HOT 9 CLOSED

Glad you're finding it useful.

Before I answer, a question: is the number of distinct AWS credentials known at compile time, or can that change dynamically?

from ex_aws.

The number of distinct credentials will be dynamic as will their values; they're managed by a separate service.

from ex_aws.

Crap. The good news is, I could add this soon, the bad news is: one motivator behind ExAws was precisely NOT needing to pass in config with every request, so there are a few roadblocks. The biggest issue is stuff like https://github.com/CargoSense/ex_aws/blob/master/lib/ex_aws/dynamo/impl.ex#L84 where the client's request function is called in order to allow some custom request logic.

When you first asked my thought was that you could create N clients with different credentials and then pick the right one at runtime, but that would require N to be known at compile time.

I believe I could solve this by instead of passing in the client module name passing in a map of

%{client: __MODULE__, config: config}

That way you could do

Dynamo.Impl.describe_table(%{module: ExAws.Dynamo, config: my_custom_config}, "TableName")

It could call request on the specified module (in this case the default Dynamo client).

Let me keep thinking, but you may be stuck for the moment. This is definitely something I didn't think about in my fervor to avoid needing to do this.

from ex_aws.

Technically there are some rather ghetto ways in which you could get around this that I don't recommend. Because you can override how a client gets its config, you could store the desired config in the process dictionary and then use a client with the following code:

defmodule My.Dynamo do
  use ExAws.Dynamo.Client

  def config_root do
    Process.get(:ex_aws_config)
  end
end

The flow would be

config = determine_config
Process.put(:ex_aws_config, config)
My.Dynamo.list_tables
Process.delete(:ex_aws_config) # just to be safe

If you're SURE that the requests are happening in different processes that could work. Don't exactly recommend it though.

from ex_aws.

Thanks for your thorough response. I am sure they're in separate processes and had actually looked in to that proposed "hack" but I'm nervous because I don't know how secure or safe a process is.

I was able to get around this by swapping ExAws for erlcloud but that introduced other hiccups for me so I had hoped to come back to ExAws. When I saw the conversation in IRC I thought it might be worth speaking up.

Thanks again!

from ex_aws.

Well if it makes you feel any better, the Application.get_env stuff is all stored in processes at the end of the day. Not sure what you mean by secure or safe precisely. It's as safe as anything else in memory from attackers if that's your concern.

from ex_aws.

Not concerned with attackers, more to do with whether a process could inadvertently access the values of another.

from ex_aws.

Reopening until there's a few tweaks in place in master.

from ex_aws.

Ok this is done. Usage:

Test.ClientData.Dynamo.new(secret_access_key: "foo")
|> ExAws.Dynamo.Impl.list_tables

Note that the parameters passed to new are just the configuration keys you're interested in, there isn't a root level [config: [stuff]] anymore.

from ex_aws.