Uploaded image for project: 'CernVM'
  1. CernVM
  2. CVM-946

Add support for AWS Security Token Service to cvmfs-server S3 interface

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Low
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: CVMFS
    • Labels:
      None
    • Platforms:
      x86_64-slc6-gcc48-opt
    • Development:

      Description

      This is not a requirement at the moment, but a nice to have. We've been looking at improving the security of our AWS usage, and AWS recommends using their Security Token Service rather than long term access keys where possible. Currently the cvmfs-server S3 support appears to only work with long term keys. The way the STS works is that you launch an AWS instance with a Role that enables it, and then every 6 hours or so it automatically renews the keys in the instance metadata. The metadata can then be retrieved with an http request as shown here. That metadata includes a secret key and access key which are passed like normal, plus an additional security token that also has to be included. According to this, the token should be added in a X-Amz-Security-Token header.

      A description of how to assign the role to a running instance is here.

      Using this feature, no long term key has to be stored in an image, and even if it is stolen it isn't good for long.

        Attachments

          Activity

            People

            • Assignee:
              jblomer Jakob Blomer
              Reporter:
              dwd Dave Dykstra
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: