Support config files and temporary credentials for S3 URLs #303
Conversation
|
@DonFreed: What is the usual ballpark lifetime of temporary session tokens? If they're especially short, it seems like a likely setup would be to store your However none of the AWS SDKs or botocore code I looked at appeared to support mixing-'n'-matching like this, so I didn't either. Seems like they all support everything-in-env-vars or everything-in-config-file but not mixtures. Probably simpler that way… |
Extend the URL authority part parsing to "[ID:SECRET:TOKEN@]BUCKET". The latter fields are optional, and if only a username is provided, interpret it as the profile to look for in the configuration files. Check the conventional AWS environment variables for session token, profile, and credentials config file location. Pick up credential settings from ~/.aws/credentials (standard shared AWS credentials file), ~/.s3cfg (as per s3tools), and ~/.awssecret (as per Tim Kay's aws and Heng Li's kurl.c), in that order. Check for $AWS_SESSION_TOKEN etc and propagate any temporary credentials found to X-Amz-Security-Token header. Hat tip @DonFreed.
jmarshall
force-pushed
the
feature/s3-auth
branch
from
146a773 to
e9fcc57
Compare
|
@jmarshall and @DonFreed: the lifetime of a session token can be controlled but Don's cited use case for this (National Database for Autism Research) have tokens lasting ~ 24 hours. You either have a long-term key pair (i.e., key, secret key) or temporary credentials (key, secret key, and token) and the two can't be mixed. Both s3cmd and aws command-line use boto and provide support for using multiple config files or profiles, respectively. This enables a user to use a set of keys (i.e., their own AWS credentials) for some things and use a different set of credentials for other purposes. I suppose htslib will just look in the default config/profile, respectively? This may be a corner case for htslib, but I thought it might be worth mentioning: |
|
@jmarshall and @obenshaindw: Sorry I missed the earlier message. Temporary tokens lifetimes range from 15 minutes to 36 hours. David is correct that the long-term key pair cannot be mixed with the temporary credentials. When you receive a token, you also receive an In practice, for short sessions we just request a token and update ~/.aws/credentials. For longer sessions, we track expiration times or handle token expiration programmatically, so it does not matter too much whether the credentials are stored as environmental variables or in ~/.aws/credentials, so long as credentials are not mixed. The precedence of credentials for the AWS Command Line Interface are:
To improve consistency with the aws CLI, I would be in favor of handling $AWS_CONFIG_FILE in a similar manner to $AWS_SHARED_CREDENTIALS. |
That is the facet I was unaware of. So not mixing environment variables with config files does indeed make sense. (The need for a separate token in the API when you're getting a new id & secret anyway… not so much!) What's implemented in HTSlib at present follows other AWS SDKs and tools, and does support profiles. This will need documenting soon (probably mostly just a web page saying it supports s3: URLs with the usual configuration vars and files …) but in summary:
@obenshaindw I see botocore also falls back to contacting the IAM well-known endpoint. HTSlib could also do this, although I would have thought there would be some common script for copying these into environment variables so that such code was not multiplied across clients and SDKs…? HTSlib-based tools (i.e. samtools) are used on EC2 and especially outside EC2. If you're not on EC2, contacting random link-local IP addresses and asking them for credentials would be rather unfortunate (to put it mildly), so I'd really rather not do this by default. I would have thought there would be a convention of only doing this when $AWS_PROFILE is set to a special @DonFreed I followed this AWS blog post, which seems to say that only the AWS CLI looks at ~/.aws/config while all SDKs and the CLI look at the newer common ~/.aws/credentials. As we're just another SDK that's not the CLI, it seemed appropriate not to look at the CLI's config file and if your credentials are in the credentials file there's nothing we would need from the config file anyway. OTOH we're pandering to the CLI's $AWS_DEFAULT_PROFILE variable and to various legacy config files, and it would only be a few more lines of code… (but also more stuff to document). |
Handles temporary credentials specified in the URL (as
s3://ID:SECRET:TOKEN@bucket/...), via $AWS_SESSION_TOKEN, or as specified in a configuration file.Reads credentials from the URL, via the usual environment variables, from ~/.aws/credentials, from ~/.s3cfg, or from ~/.awssecret.