Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-26576

Make S3 upload work with instance roles

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 9.10, 10.3
    • Fix Version/s: 9.10-HF26, 10.10
    • Component/s: S3
    • Release Notes Summary:
      S3 Direct Upload works with IAM roles.
    • Backlog priority:
      1,500
    • Upgrade notes:
      Hide

      The S3 direct upload capability has been adapted to follow the AWS recommendations and to improve security using IAM Roles instead of User.

      The AWS and Nuxeo configuration required to unblock this feature is documented here: https://doc.nuxeo.com/nxdoc/amazon-s3-online-storage/#s3-direct-upload

      For backward-compatibility, in Nuxeo 9.10 it's possible to use an IAM User or an IAM Role.

      In Nuxeo 10.10 one has to use an IAM Role.

      Show
      The S3 direct upload capability has been adapted to follow the AWS recommendations and to improve security using IAM Roles instead of User. The AWS and Nuxeo configuration required to unblock this feature is documented here: https://doc.nuxeo.com/nxdoc/amazon-s3-online-storage/#s3-direct-upload For backward-compatibility, in Nuxeo 9.10 it's possible to use an IAM User or an IAM Role. In Nuxeo 10.10 one has to use an IAM Role.
    • Sprint:
      nxcore 10.10.5
    • Story Points:
      5

      Description

      The guideline from the security team is to use an instance role on AWS instead of setting an id/secret in nuxeo.conf

      However the current implementation of S3 upload can't work with an Instance role because IAM roles can't create temporary credentials for the UI clients

      {entity-type: "exception", status: 500,…}
      entity-type: "exception"
      message: "com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Cannot call GetFederationToken with session credentials (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: b54c312b-0ef0-11e9-9079-b1d28d157463)"
      status: 500
      

      Maybe use AssumeRole instead of GetFederationToken

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 days, 2 hours
                  3d 2h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.