Uploaded image for project: 'CernVM'
  1. CernVM
  2. CVM-946

Add support for AWS Security Token Service to cvmfs-server S3 interface



    • Type: Improvement
    • Status: Open
    • Priority: Low
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: CVMFS
    • Labels:
    • Platforms:
    • Development:


      This is not a requirement at the moment, but a nice to have. We've been looking at improving the security of our AWS usage, and AWS recommends using their Security Token Service rather than long term access keys where possible. Currently the cvmfs-server S3 support appears to only work with long term keys. The way the STS works is that you launch an AWS instance with a Role that enables it, and then every 6 hours or so it automatically renews the keys in the instance metadata. The metadata can then be retrieved with an http request as shown here. That metadata includes a secret key and access key which are passed like normal, plus an additional security token that also has to be included. According to this, the token should be added in a X-Amz-Security-Token header.

      A description of how to assign the role to a running instance is here.

      Using this feature, no long term key has to be stored in an image, and even if it is stolen it isn't good for long.




            • Assignee:
              jblomer Jakob Blomer
              dwd Dave Dykstra
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: