You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "Andrea Cosentino (JIRA)" <ji...@apache.org> on 2018/10/30 10:54:00 UTC
[jira] [Comment Edited] (CAMEL-12907) AWS S3 assume role based
access
[ https://issues.apache.org/jira/browse/CAMEL-12907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16668269#comment-16668269 ]
Andrea Cosentino edited comment on CAMEL-12907 at 10/30/18 10:53 AM:
---------------------------------------------------------------------
To be a bit more clear: we can't add three different options for having credentials for the normal role, credentials for the role you want to assume and the role arn you want to use. This will lead in first place to confusion and in second place to a big refactor of a component that already distinguish between normal access and access through IAM credentials. If I understand correctly your needs I think the component won't have any advantage in implementing this, unless resolving your specific and really corner-case scenario.
was (Author: ancosen):
To be a bit more clear: we can't add three different options for having credentials for the normal role, credentials for the role you want to assume and the role arn you want to use. This will lead in first please to confusion and in second place to just a big refactor of a component that already distinguish between normal access and access through IAM credentials. If I understand correctly your need I think the component won't have any advantage in implementing this, unless resolving your specific and really corner-case scenario.
> AWS S3 assume role based access
> -------------------------------
>
> Key: CAMEL-12907
> URL: https://issues.apache.org/jira/browse/CAMEL-12907
> Project: Camel
> Issue Type: New Feature
> Components: camel-aws
> Reporter: VINEET GANDHI
> Assignee: Andrea Cosentino
> Priority: Major
> Attachments: awsS3.xml
>
>
> We have a springboot application where camel context is initialized. Now we have a rest endpoint which takes xml routes and add to context.
> Now, for a route consisting of an S3 endpoint, we need to pass Access Key and Secret Key for S3 access in component URI parameters but this is static in nature and will not solve our problem.
> So, another way provided by camel is to pass an S3 client as URI parameter which can be used for AWS S3 access. Now, this S3 client first needs to be created and added to the camel registry from where it can be referred by camel context.
> But, as per our architecture, we can't create this S3 client as part of the application. If we use this approach then we will have to create a whole new DSL in application which will take some AWS parameters and create and S3 client for us.
> Instead, what we want is that camel should provide a way to pass some URI parameters(in our case - Role ARN) to S3 component, which internally will generate an S3 client and use it for S3 access. So, in short we don't want to create our own DSL for this purpose but want camel to support this feature.
> Note: We know that camel internally supports creation of a client using the role assigned to the machine where camel is running. This works only when we have S3 bucket in the same AWS account where camel us running. But, if we want to access a cross account S3 bucket then we can't use this feature. We'll have to create our own client.
> Note 2: For a client assuming an AWS IAM role
> 1. client first needs to have permission to assume this role
> 2. the role should add this particular client in its trust relationship
> Catch: For enabling camel to support Role ARN as URI parameter for S3 component so that camel can internally create an S3 client, camel still needs some AWS credentials to assume this role. Now, camel doesn't have any AWS credentials set up internally, so we need to pass some credentials which can be used to assume the role we want to assume. That brings us to the same problem which we were trying to overcome in the first place.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)