New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vdb-config: use AWS IAM role instead of credentials file #945

Open

peter-sandor-1992 opened this issue Jul 4, 2024 · 1 comment

peter-sandor-1992 commented Jul 4, 2024

We are currently trying to move away from storing access and secret keys in our configuration files and have instead enabled the use of IAM policies on our AWS EC2 instances, as per current best practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

In order to set the "accept charges for AWS" in vdb-config, we currently have to set a credentials file with an access and a secret key.
Is there any way of providing an IAM instance profile ARN instead of access and secret keys to still be able to download SRA files from s3 using prefetch?
Exactly how are these credentials being used for downloading the SRA files from the cloud? Would obtaining temporary credentials using an IAM policy (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials) work, even if these expire mid-download?
Temporary credentials have a maximum lifespan of 36 hours: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken. This should be enough for a single download but we want to make sure we cover all scenarios.

The text was updated successfully, but these errors were encountered:

tudor-turcu commented Aug 29, 2024

Any news/answer about this issue? ..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment