HomePhabricator

Implement `bin/aws-s3 get ...` and a basic S3 client API

Description

Implement bin/aws-s3 get ... and a basic S3 client API

Summary: Ref T5155. This implements pulling file data off S3 using a first-party, Signature v4-compatible API.

Test Plan:

getdog.png (498×1 px, 313 KB)

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T5155

Differential Revision: https://secure.phabricator.com/D14979

Details

Event Timeline

bitglue added a subscriber: bitglue.
bitglue added inline comments.
/src/future/aws/management/PhutilAWSManagementWorkflow.php
14

Command-line arguments of any process can be seen by any user. For example, run ps aux and you can see the command-line arguments even of processes run by root.

Is it prudent to expose AWS credentials in such a way? I'd suggest instead sticking with the credential mechanisms supported by all AWS SDKs.

Under what circumstances do you expect to run this script with live credentials?

I'm confused. If by "live" credentials you mean credentials that exist in some AWS account and grant some level of access to S3, I'm not sure what other kind of credentials I'd ever use.

Admittedly, I'm not really sure under what circumstances this script is used at all. I only happened to come across this in relation to T5155. But I'm pretty sure in all circumstances I don't want my credentials unnecessarily exposed.

By "live", I mean production credentials which provide access to sensitive data, as opposed to test credentials which provide access to nonsensitive test data.

I wrote this script to make it easier to test the S3 client code, and have only ever run it with test credentials. Specifically, here are the credentials I used:

Access Key: AKIAI43ALT2B5BW4FRTA
Secret Key: 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

These credentials provided access to several different pictures of dogs with socks on, if you were able to run ps aux on my laptop to observe them.

OK, fair enough. Thank you for clarifying.