AWS allows you to authenticate with IAM Roles, which are temporary credentials stored on each host and accessible to any process on the host by performing an HTTP request to a secret local server.
My understanding is that a simple IAM workflow might work like this:
- An operator goes to the AWS console and says that web001.mycompany.com has permission to access S3.
- When software on web001.mycompany.com goes to access S3, it first makes a local HTTP request to the local instance metadata service in AWS, at http://169.254.169.254/.
- This service is automatic and not authenticated. Any process on the host may access it and retrieve credentials and any other data it exposes.
- After retrieving a credential from the instance metadata service, it uses it to sign requests.
We do not currently support this. Specifically, Phabricator does not have the code required to make the call to the instance metadata service.
We should write our own S3 client instead of using an external. S3 has a fairly simple API.
It would be great if IAM roles could be used to provide credentials for S3 instead of explicitly providing an S3 access key. I think that in order to do this, the S3 library would likely need to be upgraded/replaced. I'm not sure if the S3 library supports IAM roles or not.