[NXP-25075] Add new Nuxeo AWS service to get credentials and other config - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 9.10-HF20, 10.3
Component/s: AWS

Release Notes Summary:
A new Nuxeo AWS service is added to get credentials and other configurations.
Tags:
Impact type:

API change, Configuration Change
Upgrade notes:
Hide

A new template aws is available, to define the AWS configuration. When activated (which is automatically done by the marketplace-amazon-s3 package), the following nuxeo.conf properties are available:

nuxeo.aws.accessKeyId

nuxeo.aws.secretKey

nuxeo.aws.region

They are optional, and if not present the default AWS SDK mechanism for configuring them will be used (environment variables, Java system properties, local AWS profile, container-specific configuration (ECS/EC2)). See https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default and https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-region-selection.html#default-region-provider-chain for more information.

Instead of using the template, the service can also be configured manually:

<extension target="org.nuxeo.runtime.aws.AWSConfigurationService" point="configuration"> <configuration> <accessKeyId>MY_ACCESS_KEY_ID</accessKeyId> <secretKey>MY_SECRET_KEY</secretKey> <region>MY_REGION</region> </configuration> </extension>

From Java there are two new APIs to get this information:

NuxeoAWSCredentialsProvider.getInstance()

NuxeoAWSRegionProvider.getInstance().getRegion()

These credentials and region providers will default to standard AWS SDK behavior if no Nuxeo configuration is provided (see above).
Show
A new template aws is available, to define the AWS configuration. When activated (which is automatically done by the marketplace-amazon-s3 package), the following nuxeo.conf properties are available: nuxeo.aws.accessKeyId nuxeo.aws.secretKey nuxeo.aws.region They are optional, and if not present the default AWS SDK mechanism for configuring them will be used (environment variables, Java system properties, local AWS profile, container-specific configuration (ECS/EC2)). See https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default and https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-region-selection.html#default-region-provider-chain for more information. Instead of using the template, the service can also be configured manually: <extension target= "org.nuxeo.runtime.aws.AWSConfigurationService" point= "configuration" > <configuration> <accessKeyId> MY_ACCESS_KEY_ID </accessKeyId> <secretKey> MY_SECRET_KEY </secretKey> <region> MY_REGION </region> </configuration> </extension> From Java there are two new APIs to get this information: NuxeoAWSCredentialsProvider.getInstance() NuxeoAWSRegionProvider.getInstance().getRegion() These credentials and region providers will default to standard AWS SDK behavior if no Nuxeo configuration is provided (see above).
Sprint:
nxFG 10.3.6
Story Points:
3

Description

In some Nuxeo packages like nuxeo-cloud-binarymanager the credentials are only resolved by contribution or using the instance role.

Because of that we can not leverage roles ( requires SESSION_TOKEN ) or even the ECS role will probably also fail.

We should stick to the normal resolution flow, unless a contribution is detected: to keep compatilbity
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

We need to circle on all Nuxeo modules that use AWS to ensure we have one unique way to handle AWS credentials ( maybe create an AWS common )

https://github.com/nuxeo/nuxeo-core-binarymanager-cloud

Attachments

Issue Links

depends on

NXP-25945 Update AWS SDK to latest version 1.11.427

Resolved

NXP-24981 Update AWS SDK to latest version 1.11.323

Resolved

is related to

NXP-24625 Nuxeo Vision should allow usage of session token

Open

NXP-25596 Nuxeo Vision for AWS Rekognition should use Environment Variables

Resolved

is required by

AICORE-151 nuxeo-runtime-aws credentials don't work in nuxeo.conf

Resolved

AICORE-60 Update AWS code to pick up the new nuxeo-runtime-aws

Resolved

NXP-24748 S3 Direct Upload - Add InstanceRole support

Resolved

NXP-26823 Allow multiple configurations for AWSConfigurationService

Resolved

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...

(3 is required by, 4 mentioned in)

Activity

People

Assignee:

Florent Guillaume

Reporter:

Rémi Cattiau

Participants:

Florent Guillaume, Jenkins, Rémi Cattiau

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2018-05-25 17:31

Updated:

2022-02-24 16:39

Resolved:

2018-09-26 15:55

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: