The way the client is being instantiated, the role_arn is being ignored from the confi

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="59

Roles are not supported,about fastlane-community/fastlane-plugin-s3

Comments (4)

timothy-volvo commented on May 6, 2024

@joshdholtz, is this issue resolved by PR #86? I will try to test myself, but don't have an environment setup at the moment.

I have doubts as I thought Instance profiles were for EC2. If my understanding is correct, then shouldn't PR #86 have introduced a boolean flag to indicate whether to use InstanceProfile or not. If false and no other s3_* flags are set then the credentials would be resolved from the environment, which is what I am proposing in this ticket / PR #55

from fastlane-plugin-s3.

joshdholtz commented on May 6, 2024

@timothy-volvo I’ll take a deeper look today! I thought it did but I will make sure.

from fastlane-plugin-s3.

mrosales commented on May 6, 2024

#86 still won't resolve this. As an example, using STS credentials, you must pass AWS_ACCESS_KEY_ID, AWS_ACCESS_SECRET_KEY and AWS_SESSION_TOKEN. After this PR, roles assumed by STS will still not work because specifying the first two as parameters will result in incomplete credentials and omitting them results in using InstanceProfileCredentials rather than the default chain.

AWS uses some non-trivial logic to initialize a session, so unless this plugin is doing something special or custom to initialize the session, I would strongly suggest using the default credential provider chain as the default if you don't specify explicit credentials instead of using AWS:: InstanceProfileCredentials

Here's the source to what the credential chain tries to do:

It includes:

static_credentials
static_profile_assume_role_web_identity_credentials
static_profile_assume_role_credentials
static_profile_credentials
static_profile_process_credentials
env_credentials
assume_role_web_identity_credentials
assume_role_credentials
shared_credentials
process_credentials
instance_profile_credentials

from fastlane-plugin-s3.

joohae-kim commented on May 6, 2024

I wonder if we can simply add a option variable for AWS_SESSION_TOKEN to use STS credentials
I can use session token with AWS_PROFILE options, but I have to update .aws/credential file almost every release
hence, I wish I can use the AWS_SESSION_TOKEN environmental variable

I touched up the code a little and it looks working fine for my case:
the Aws::Credentials.new() allows the session token for the third parameter, and the value is null by default

diff --git a/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb b/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb
index 4a33e54..7f4f434 100644
--- a/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb
+++ b/lib/fastlane/plugin/aws_s3/actions/aws_s3_action.rb
@@ -32,6 +32,7 @@ module Fastlane
         params[:release_notes] = config[:release_notes]
         params[:access_key] = config[:access_key]
         params[:secret_access_key] = config[:secret_access_key]
+        params[:aws_session_token] = config[:aws_session_token]
         params[:aws_profile] = config[:aws_profile]
         params[:bucket] = config[:bucket]
         params[:endpoint] = config[:endpoint]
@@ -65,6 +66,7 @@ module Fastlane
         s3_region = params[:region]
         s3_access_key = params[:access_key]
         s3_secret_access_key = params[:secret_access_key]
+        s3_session_token = params[:aws_session_token]
         s3_profile = params[:aws_profile]
         s3_bucket = params[:bucket]
         s3_endpoint = params[:endpoint]
@@ -89,7 +91,7 @@ module Fastlane
         client_cfg[:region] = s3_region if s3_region
         client_cfg[:endpoint] = s3_endpoint if s3_endpoint
         client_cfg[:profile] = s3_profile if s3_profile
-        client_cfg[:credentials] = Aws::Credentials.new(s3_access_key, s3_secret_access_key) if s3_access_key && s3_secret_access_key
+        client_cfg[:credentials] = Aws::Credentials.new(s3_access_key, s3_secret_access_key, s3_session_token) if s3_access_key && s3_secret_access_key

         s3_client = Aws::S3::Client.new(client_cfg)

@@ -736,6 +738,11 @@ module Fastlane
                                        description: "AWS Secret Access Key ",
                                        optional: true,
                                        default_value: ENV['AWS_SECRET_ACCESS_KEY']),
+          FastlaneCore::ConfigItem.new(key: :aws_session_token,
+                                       env_name: "S3_SESSION_TOKEN",
+                                       description: "AWS Session TOKEN ",
+                                       optional: true,
+                                       default_value: ENV['AWS_SESSION_TOKEN']),
           FastlaneCore::ConfigItem.new(key: :aws_profile,
                                        env_name: "S3_PROFILE",
                                        description: "AWS profile to use for credentials",

from fastlane-plugin-s3.

Roles are not supported about fastlane-plugin-s3 HOT 4 OPEN

Comments (4)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent