Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update AWS Java SDK to support ECS Task Roles #23039

Closed
hmatland opened this issue Feb 8, 2017 · 4 comments
Closed

Update AWS Java SDK to support ECS Task Roles #23039

hmatland opened this issue Feb 8, 2017 · 4 comments
Labels
:Distributed Coordination/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs >enhancement good first issue low hanging fruit help wanted adoptme

Comments

@hmatland
Copy link

hmatland commented Feb 8, 2017

Describe the feature: Plugin repository-s3 currently use the the AWS Java SDK 1.10.69. Policy management for AWS resources used by Elasticsearch with AWS-plugins running on ECS would improve if the SDK version was upgraded to a newer release.

Background:
I noticed the old version due to lack of newer AWS IAM features. In this specific case:
Task IAM Roles.
IAM Roles for tasks require 1.11.16 or above.

IAM Roles for tasks are used as part of deployments to Amazon EC2 Container Service (ECS). Task roles allow specific containers, or set of containers, to run with specific Roles.
Task roles are similar to Instance Roles. In ECS the instances running in the cluster has an Instance role, typically allowing the cluster instances access to various ECS APIs, Log Management and Load-Balancer registration/deregistration. Containers running on the instance also inherits the policies of the Instance role.
If you wish the container to have access to resources without granting it to every container running in the cluster, you need to either use Task roles, or access keys.

We strive to avoid the usage of access keys for applications running on AWS.
Because of this our current workaround is to set the policies we require on the Instance role.
@rjernst
Copy link
Member

rjernst commented Feb 13, 2017

I took a brief look at how we might support this. One small trouble I had was identifying which credential provider to use, but I think it would be ContainerCredentialsProvider. If using that provider is all that is necessary, then this should be a simple addition, and work similarly to the instance profile support.

@hmatland
Copy link
Author

The default chain should also cover ECS usage, as long as the SDK is new enough.
DefaultAWSCredentialsProviderChain

Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set and security manager has permission to access the variable

@rjernst rjernst added good first issue low hanging fruit and removed discuss labels Feb 13, 2017
@rjernst
Copy link
Member

rjernst commented Feb 13, 2017
edited
Loading

@hmatland We no longer use the default chain because it allows for insecure ways of providing the credentials (sys props, environment variables, and profile files).

@rjernst rjernst added the help wanted adoptme label Feb 13, 2017
@lsowen
Copy link

lsowen commented Mar 18, 2017

This would also be a very useful feature for the discover-ec2 plugin.

@matarrese matarrese mentioned this issue Jul 5, 2017
Closed
@mohit mohit mentioned this issue Sep 2, 2017
Merged
@clintongormley clintongormley added :Distributed Coordination/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs and removed :Plugin Repository S3 labels Feb 14, 2018
@DaveCTurner DaveCTurner mentioned this issue May 5, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Distributed Coordination/Snapshot/Restore Anything directly related to the `_snapshot/*` APIs >enhancement good first issue low hanging fruit help wanted adoptme
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@clintongormley @rjernst @lsowen @hmatland