honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use `DefaultAWSCredentialsProviderChain` AWS SDK class for credentials 

Follow up discussion at https://github.com/elastic/elasticsearch/pull/18690#issuecomment-234505083

Reading the best practices [recommended by AWS](http://docs.aws.amazon.com/java-sdk/latest/developer-guide/credentials.html), we should use `DefaultAWSCredentialsProviderChain` instead of providing the detail of the chain ourselves.

For now, we read credentials (if not provided in `elasticsearch.yml`) using:

```java
credentials = new AWSCredentialsProviderChain(
   new SystemPropertiesCredentialsProvider(),
   new EnvironmentVariableCredentialsProvider(),
   new InstanceProfileCredentialsProvider()
);
```

Which means that we read from:

* Environment Variables - `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` (RECOMMENDED since they are recognized by all the AWS SDKs and CLI except for .NET), or `AWS_ACCESS_KEY` and `AWS_SECRET_KEY` (only recognized by Java SDK)
* Java System Properties - `aws.accessKeyId` and `aws.secretKey`
* Instance profile credentials delivered through the Amazon EC2 metadata service

Using instead:

```java
credentials = new DefaultAWSCredentialsProviderChain();
```

Will give us two new more methods out of the box:

> * Credential profiles file at the default location (`~/.aws/credentials`) shared by all AWS SDKs and the AWS CLI
> * Credentials delivered through the Amazon EC2 container service if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` environment variable is set and security manager has permission to access the variable

Cherry on the cake: as soon as AWS SDK will propose a new implementation, we will benefit from it without any modification (just updating the SDK).

We also simplify

```
new AWSCredentialsProviderChain(new StaticCredentialsProvider(new BasicAWSCredentials(key, secret)));
```

As there is no need to wrap StaticCredentialsProvider in AWSCredentialsProviderChain.

Closes #19556.
This commit is contained in:
David Pilato 2016-07-23 01:28:39 +02:00
parent 43c15f2b23
commit f33d103e76
2 changed files with 6 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
plugins/discovery-ec2/src/main/java/org/elasticsearch/cloud/aws/AwsEc2ServiceImpl.java
View File

@ -23,11 +23,8 @@ import com.amazonaws.AmazonClientException;
import com.amazonaws.AmazonWebServiceRequest;
import com.amazonaws.ClientConfiguration;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSCredentialsProviderChain;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.EnvironmentVariableCredentialsProvider;
import com.amazonaws.auth.InstanceProfileCredentialsProvider;
import com.amazonaws.auth.SystemPropertiesCredentialsProvider;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.http.IdleConnectionReaper;
import com.amazonaws.internal.StaticCredentialsProvider;
import com.amazonaws.retry.RetryPolicy;
@ -83,16 +80,10 @@ public class AwsEc2ServiceImpl extends AbstractLifecycleComponent implements Aws
String secret = CLOUD_EC2.SECRET_SETTING.get(settings);
if (key.isEmpty() && secret.isEmpty()) {
logger.debug("Using either environment variables, system properties or instance profile credentials");
credentials = new AWSCredentialsProviderChain(
new EnvironmentVariableCredentialsProvider(),
new SystemPropertiesCredentialsProvider(),
new InstanceProfileCredentialsProvider()
);
credentials = new DefaultAWSCredentialsProviderChain();
} else {
logger.debug("Using basic key/secret credentials");
credentials = new AWSCredentialsProviderChain(
new StaticCredentialsProvider(new BasicAWSCredentials(key, secret))
);
credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key, secret));
}
return credentials;

17
plugins/repository-s3/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java
View File

@ -22,11 +22,8 @@ package org.elasticsearch.cloud.aws;
import com.amazonaws.ClientConfiguration;
import com.amazonaws.Protocol;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSCredentialsProviderChain;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.EnvironmentVariableCredentialsProvider;
import com.amazonaws.auth.InstanceProfileCredentialsProvider;
import com.amazonaws.auth.SystemPropertiesCredentialsProvider;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.http.IdleConnectionReaper;
import com.amazonaws.internal.StaticCredentialsProvider;
import com.amazonaws.services.s3.AmazonS3;
@ -36,7 +33,6 @@ import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.component.AbstractLifecycleComponent;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.settings.Settings;
@ -122,19 +118,12 @@ public class InternalAwsS3Service extends AbstractLifecycleComponent implements
public static AWSCredentialsProvider buildCredentials(ESLogger logger, String key, String secret) {
AWSCredentialsProvider credentials;
if (key.isEmpty() && secret.isEmpty()) {
logger.debug("Using either environment variables, system properties or instance profile credentials");
credentials = new AWSCredentialsProviderChain(
new EnvironmentVariableCredentialsProvider(),
new SystemPropertiesCredentialsProvider(),
new InstanceProfileCredentialsProvider()
);
credentials = new DefaultAWSCredentialsProviderChain();
} else {
logger.debug("Using basic key/secret credentials");
credentials = new AWSCredentialsProviderChain(
new StaticCredentialsProvider(new BasicAWSCredentials(key, secret))
);
credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key, secret));
}
return credentials;