这是indexloc提供的服务,不要输入任何密码
Skip to content
This repository was archived by the owner on Mar 4, 2021. It is now read-only.

Adding Role policy handling in addition to explicitly set user credentials #28

Merged
merged 4 commits into from
Jan 11, 2013
Merged

Adding Role policy handling in addition to explicitly set user credentials #28

merged 4 commits into from
Jan 11, 2013

Conversation

@DrGranit
Copy link
Contributor

@DrGranit DrGranit commented Jan 10, 2013

Changed all usages of AWS SDK client constructors with credentials to use the default constructor, such that credentials are chosen in the following order:

  • Environment Variables: AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
  • Java System Properties: aws.accessKeyId and aws.secretKey
  • Instance Metadata Service, which provides the credentials associated with the IAM role for the EC2 instance

(taken from: http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-roles.html)

If the credentials are set explicitly within the client.properties, they are exposed as Java System property and will as such be picked up by the AWS SDK call. Should the property not exist, be empty or only hold spaces, then the InstanceProfileCredentialsProvider is used. It uses credentials provided by the Instance Meta Data Service, we can not store these within the code as such are rotated and will be rechecked for every time an SDK call is made. Hence the removal of all in memory storage of the credentials and deprecation of their getters. Also deprecated the constructor taking credentials as arguments in favor of the one establishing the credentials via the AWS SDK.

kind regards
DrGranit

@DrGranit
relaxing aws credentials check to allow dynamic establishing of
04cdb23 
credentials through roles
@DrGranit
Removed storing of credentials and replaced all SDK calls to use
6543a66 
unparameterized constructors to follow the AWS order to establish the
credentials. If credentials are set explicelty, such will be exported
into the AWS specified system properties and can then be used as such by
the AWS SDK. This allows using Role based permissions and letting the
SDK automatically reestablish the credentials once rotated by the
Instance Metadata Service.
@DrGranit
changed properties check from NotEmpty to NotBlank, to cater for
bd33db6 
accidental whitespaces
michaelnflx
michaelnflx reviewed Jan 10, 2013
View reviewed changes
src/main/java/com/netflix/simianarmy/basic/BasicSimianArmyContext.java Outdated
Copy link
Contributor

@michaelnflx michaelnflx Jan 10, 2013

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can remove this method.

@michaelnflx
Copy link
Contributor

michaelnflx commented Jan 10, 2013

Hi DrGranit,

I think the change is pretty good. My comments are about that we can remove those deprecated methods. We are still at the early stage of this project so removing these methods should not cause many backward-compatibility issues.

Also, please add Javadoc comments to the constructor of AWSClient to explain how the credentials are obtained there.

And please also add comments in client.properties to explain that if no AWS credentials are set there, how the monkeys will obtain the credentials at runtime.

Thanks for contributing!
Michael

@DrGranit
Removed previously deprecated methods; added javadocs to
67ddcf7 
AWSClient constructor about credentials acquisition; added comment to
clients.properties to mention Instance Roles configuration.
@DrGranit
Copy link
Contributor Author

DrGranit commented Jan 11, 2013

Hello Michael,

I made the changes as discussed, thanks for taking the time to look through this. I would update the Wiki, perhaps with an example policy and a mention of the ability to use instance roles, once the pull is completed.

kind regards
DrGranit

michaelnflx added a commit that referenced this pull request Jan 11, 2013
@michaelnflx
Merge pull request #28 from DrGranit/master
ca07216 
Adding Role policy handling in addition to explicitly set user credentials
@michaelnflx michaelnflx merged commit ca07216 into Netflix:master Jan 11, 2013
@michaelnflx
Copy link
Contributor

michaelnflx commented Jan 11, 2013

Hi DrGranit,

Looks great! Please update the wiki with an example. Let me know if you don't have permissions for the wiki.

Thanks,
Michael

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DrGranit @michaelnflx