Support for IAM Roles with Amazon EC2 Instances about aws-sdk-js HOT 8 CLOSED

This is definitely on our todo list. I can't comment on when this will get done exactly, but it is a priority.

from aws-sdk-js.

+1

If only for the security best practices of not having keys flowing around.

from aws-sdk-js.

Is there reason to not support the AWS_CONFIG_FILE export as well?

from aws-sdk-js.

AWS_CONFIG_FILE is a different thing from using instance metadata, because it won't stop you from hardcoding the credentials on the machine. That said, you can always use AWS.config.loadFromPath(process.env.AWS_CONFIG_FILE) if you want this behaviour. Is AWS_CONFIG_FILE used in any other Amazon tools? If it is, it's likely that it's not in the same format as we would expect in the Node.js SDK, so supporting this out of the box might not work.

from aws-sdk-js.

It appears my terminology is wrong. I understood the features as related since there must be some hierarchy of checking for credentials, correct? Ie: Checking for IAM role, then bash export, then config file... etc. Currently I have found the aws-sdk-js to obey /only/ exports of ACCESS_KEY_ID and SECRET_ACCESS_KEY. If IAM roles were to be implemented, would it be in a different section of the code? ( config.js: 384 )

Note:
This is of consequence only because there is no afaik no standard export for region defined, however it is implementable via the CONFIG_FILE. It does not appear ruby SDK supports this feature either, so the request may not be valid.

from aws-sdk-js.

If IAM roles were to be implemented, would it be in a different section of the code?

No, it would be the next check in the chain after env vars. I actually just pushed the EC2 instance metadata branch, see #78. We don't check disk in the chain though, because as you pointed out, we don't use AWS_CONFIG_FILE as a standard mechanism for loading credentials. It seems that this variable is new to the AWS CLI tool, so we could add support for this, but note that it's not in a JSON format, so that might be something Node developers might not be used to.

This is of consequence only because there is no afaik no standard export for region defined,

We have AWS_REGION for a standard region, actually. You can use that.

from aws-sdk-js.

Roles on EC2 instances should now be transparently supported. Those interested in testing this out can pull down the master branch and give it a spin!

Note that we currently do not handle invalidation of expired credentials, we will be adding this before the next release, and we are tracking that specific feature as #80

from aws-sdk-js.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

from aws-sdk-js.