Change auth mechanism to support the standards. #263
Conversation
This update changes the default auth mechanism to allow the SDK to use whatever crdentials are available if the key and token aren't provided in the config. This will allow ice to work in additional environments such as Amazon ECS, while still allowing the original enviornments to continue working as they had. Assuming the credentials aren't provided in the config, they will be found and used in the following order (direct cut/paste from the Java SDK documentation): AWS credentials provider chain that looks for credentials in this order: - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (RECOMMENDED since they are recognized by all the AWS SDKs and CLI except for .NET), or AWS_ACCESS_KEY and AWS_SECRET_KEY (only recognized by Java SDK) - Java System Properties - aws.accessKeyId and aws.secretKey - Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI - Credentials delivered through the Amazon EC2 container service if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" environment variable is set and security manager has permission to access the variable, - Instance profile credentials delivered through the Amazon EC2 metadata service
|
FWIW, I've deployed this to our ECS cluster, and it's working like a champ. I'd love to see this merged so we can go back to building our container from the mainline releases. |
|
Great ! Can one of you provide a CloudFormation template (or another form
of script) that would deploy Ice in ECS to help us validate this PR (and
the other ones involving an ECS deployment of Ice) ?
Thanks
…--
Nicolas Fonrose | Teevity | Founder
+33.6.61.35.43.31
https://teevity.com - Cloud Costs Analytics built on NetflixOSS
twitter - @nfonrose / @Teevity
On Wed, Sep 13, 2017 at 7:16 PM, Adam McElwee ***@***.***> wrote:
FWIW, I've deployed this to our ECS cluster, and it's working like a
champ. I'd love to see this merged so we can go back to building our
container from the mainline releases.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#263 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AACUpb8iiyrrUe5Gl8j9zs4THZUkDVTVks5siA4FgaJpZM4OuxSB>
.
|
|
@nfonrose happy to help. Can you give me an idea of your baseline so I know what you need to test this out?
If the answer is yes to both of those, I might be able to pull together a test harness for you create a new ECS service running the Ice container, but if your baseline isn't quite there, I think it's a bit more work that I have time for to get a fully working service up for you to validate. |
|
Hi Adam, thanks for the help offer. We're familiar with ECS but don't have an ECS cluster running as we don't use ECS to run the Ice instances for our SaaS service. But we can get one running fairly easily, so let's say I replied yes to both questions :-) We don't really need a proper test harness. Just a "CloudFormation template" or "AWS CLI based script" that would deploy your version of Ice (that we have already merged into the ice integration branch) into a running ECS cluster. That way we can easily check that it's running fine. |
|
Any updates for this? Is teevity still supporting this project? |
|
We've just merged the changes from the PR.
I've checked Jim Roth's fork (which is very active and very up-to-date on
all core AWS Billing matters and also on the AWS SDK operations used),
but it doesn't use the DefaultAWSCredentialsProviderChain class either. So
telling you to check this work wasn't an option on this topic.
But it's generally a good idea to look at his fork because it's really
active. And we'll try to get in touch with Jim to check if a (giant) PR
from his repo to Teevity/ice is possible.
…--
Nicolas Fonrose | Teevity | Founder
+33.6.61.35.43.31
https://teevity.com - Cloud Costs Analytics for AWS, GCP and Azure powered
by NetflixOSS Ice
twitter - @nfonrose / @Teevity
On Tue, Aug 27, 2019 at 10:56 PM Jeff Palmer ***@***.***> wrote:
Any updates for this? Is teevity still supporting this project?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#263?email_source=notifications&email_token=AAAJJJJYIDGC5YVVWOM6YS3QGWIJLA5CNFSM4DV3CSA2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5JC5VI#issuecomment-525479637>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAJJJL2K5FHSM66AB2SBJDQGWIJLANCNFSM4DV3CSAQ>
.
|
This update changes the default auth mechanism to allow the SDK to use
whatever crdentials are available if the key and token aren't provided
in the config. This will allow ice to work in additional environments
such as Amazon ECS, while still allowing the original enviornments to
continue working as they had.
Assuming the credentials aren't provided in the config, they will be
found and used in the following order (direct cut/paste from the Java SDK
documentation):
AWS credentials provider chain that looks for credentials in this order: