Page MenuHomePhabricator
Create Task
Maniphest T9526

Support IAM credentials for Elasticsearch
Closed, DuplicatePublic
Actions

Description

I've started setting up an Amazon Elasticsearch cluster for our Phabricator install. One issue that I had is that I can't currently use instance profiles to restrict access, see http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-gsg-upload-data.html:

Standard clients, such as curl, cannot perform the request signing that is required of identity-based access policies. You must use an IP address-based access policy that allows anonymous access to successfully perform the instructions for this step.

In order to do this, I would need to be able to inject IAM temporary credentials into the requests, similar to T5155.

Related Objects
Search...

Event Timeline

joshuaspence created this task.Oct 7 2015, 5:13 PM
joshuaspence raised the priority of this task from to Needs Triage.
joshuaspence updated the task description. (Show Details)
joshuaspence added projects: Elasticsearch, Search.
joshuaspence added a subtask: T5155: Evaluate support for AWS IAM Roles in S3 Client.
joshuaspence added a subscriber: joshuaspence.
revi added a subscriber: revi.Oct 11 2015, 3:27 AM
epriestley added a subscriber: epriestley.Jan 9 2016, 4:30 PM

Can you just use an IP-based access policy instead?

epriestley added a comment.Jan 10 2016, 3:08 PM

I'm going to merge this into T5155, since the root issue here is philosophical opposition to the use of IAM Roles to manage credentials in the upstream. Two possible pathways forward outside of upstream support are:

  1. Use an IP-based access policy instead of a role-based access policy.
  2. Copy/paste the ElasticSearch engine and add IAM Role support to it as an extension.

If (2) is not possible today without making changes to Phabricator itself, I am open to changes which increase the modularity of search engines so that the approach is more practical.

epriestley closed this task as a duplicate of T5155: Evaluate support for AWS IAM Roles in S3 Client.Jan 10 2016, 3:09 PM
Phabricator · Built by Phacility