Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for AWS STS credentials for snapshots #16428

Closed
jipperinbham opened this issue Feb 3, 2016 · 9 comments · Fixed by #30414
Closed

Add support for AWS STS credentials for snapshots #16428

jipperinbham opened this issue Feb 3, 2016 · 9 comments · Fixed by #30414
Assignees
@tlrx
Labels
:Distributed Coordination/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs >enhancement

Comments

@jipperinbham
Copy link

The current setup does not support the ability to provide an AWS_SECURITY_TOKEN to be used with AWS STS authentication.

I believe the changes necessary would be to add an additional field to Settings for the cloud-aws plugin CLOUD_S3.TOKEN and if set, then return an instance of BasicSessionCredentials(accessKey, secretKey, sessionToken); instead of new BasicAWSCredentials(account, key).
This was referenced Feb 4, 2016
Closed
Closed
@bleskes bleskes removed the discuss label Jun 24, 2016
@bleskes
Copy link
Contributor

bleskes commented Jun 24, 2016

@dadoonet gracefully agreed to research and see what the implications of this are

@dadoonet
Copy link
Member

Useful links to understand STS:

If I'm not mistaken it means that we want to give a temporary credential to a S3 repository, right?

If so, I think it makes sense to support it only at a repository level but not in cluster/node settings. So having a temporary value for a setting like cloud.aws.token does not make sense.

If we want to implement it, I'd support it only when we create a repo. Like:

PUT _snapshot/tmp_repo
{
  "type": "s3",
  "settings": {
    "token": "temp-token-here"
  }
}

@jipperinbham WDYT?

@dadoonet
Copy link
Member

No news on this. So I'm closing for now.
Feel free to comment and reopen.

@elliott-davis
Copy link

incase anyone else runs across this - It looks like it was resolved in #19556

@pheyos
Copy link
Member

pheyos commented Feb 1, 2018

I would like to have support for AWS STS credentials (#19556 doesn't seem to resolve this).

As far as I understand, a session token is required when "MFA-Protected API Access" is activated on AWS [1]. Without support for session tokens all users affected by this policy are not able to access s3 via the plugin, so this would be an important improvement.
From my point of view the token should be in the elasticsearch-keystore, just like access_key and secret_key are [2].

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html
[2] https://www.elastic.co/guide/en/elasticsearch/plugins/6.1/repository-s3-client.html

@pheyos pheyos reopened this Feb 1, 2018
@pheyos pheyos added the discuss label Feb 1, 2018
@dadoonet
Copy link
Member

dadoonet commented Feb 1, 2018

I believe it's a valid ask. I believe that the implementation that described @jipperinbham is the right approach as well.
The question is more then about revocation of tokens. I'm not sure we can update live such a setting yet and it's probably something needed. Also the need of "reloading" a S3 client when credential are changing. Unless we just create a new client anytime we need to call S3...

@pheyos
Copy link
Member

pheyos commented Feb 1, 2018

FWIW: The s3 input plugin for logstash seems to have support for session tokens [1].

[1] https://www.elastic.co/guide/en/logstash/current/plugins-inputs-s3.html

@clintongormley clintongormley added :Distributed Coordination/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs and removed :Plugin Repository S3 labels Feb 14, 2018
@tlrx tlrx self-assigned this Feb 20, 2018
@tlrx tlrx added >enhancement and removed discuss labels Mar 22, 2018
@tlrx tlrx mentioned this issue Mar 23, 2018
Closed
DaveCTurner added a commit to DaveCTurner/elasticsearch that referenced this issue May 6, 2018
@DaveCTurner
Add support for AWS session tokens
2ccaeaa 
AWS supports the creation and use of credentials that are only valid for a
fixed period of time. These credentials comprise three parts: the usual access
key and secret key, together with a session token. This commit adds support for
these three-part credentials to the EC2 discovery plugin and the S3 repository
plugin.

Note that session tokens are only valid for a limited period of time and yet
there is no mechanism for refreshing or rotating them when they expire without
restarting Elasticsearch.  Nonetheless, this feature is already useful for
nodes that need only run for a few days, such as for training, testing or
evaluation. elastic#29135 tracks the work towards allowing these credentials to be
refreshed at runtime.

Resolves elastic#16428
@DaveCTurner DaveCTurner mentioned this issue May 6, 2018
Merged
DaveCTurner added a commit that referenced this issue Jul 3, 2018
@DaveCTurner
Add support for AWS session tokens (#30414)
4108722 
AWS supports the creation and use of credentials that are only valid for a
fixed period of time. These credentials comprise three parts: the usual access
key and secret key, together with a session token. This commit adds support for
these three-part credentials to the EC2 discovery plugin and the S3 repository
plugin.

Note that session tokens are only valid for a limited period of time and yet
there is no mechanism for refreshing or rotating them when they expire without
restarting Elasticsearch.  Nonetheless, this feature is already useful for
nodes that need only run for a few days, such as for training, testing or
evaluation. #29135 tracks the work towards allowing these credentials to be
refreshed at runtime.

Resolves #16428
DaveCTurner added a commit that referenced this issue Jul 3, 2018
@DaveCTurner
Add support for AWS session tokens (#30414)
45ac820 
AWS supports the creation and use of credentials that are only valid for a
fixed period of time. These credentials comprise three parts: the usual access
key and secret key, together with a session token. This commit adds support for
these three-part credentials to the EC2 discovery plugin and the S3 repository
plugin.

Note that session tokens are only valid for a limited period of time and yet
there is no mechanism for refreshing or rotating them when they expire without
restarting Elasticsearch.  Nonetheless, this feature is already useful for
nodes that need only run for a few days, such as for training, testing or
evaluation. #29135 tracks the work towards allowing these credentials to be
refreshed at runtime.

Resolves #16428
@lopagit

This comment was marked as off-topic.

Sign in to view
@DaveCTurner

This comment was marked as off-topic.

Sign in to view
@elastic elastic locked and limited conversation to collaborators Mar 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tlrx tlrx

Labels
:Distributed Coordination/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs >enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for AWS session tokens DaveCTurner/elasticsearch
10 participants
@clintongormley @colings86 @dadoonet @tlrx @jipperinbham @bleskes @elliott-davis @pheyos @DaveCTurner @lopagit