document S3 RBAC preference on v5.14+ #11111
Conversation
|
@nightowlaz the link and most of the text was already there, just farther down and not as insistent. I moved it up top and changed "you may use RBAC" to "Dataverse WILL use RBAC, like it or not." |
|
Yes, sorry, I saw that previous section in the diff code, but just emphasizing that it was good! =) |
| @@ -1093,6 +1093,8 @@ The Dataverse Software S3 driver supports multi-part upload for large files (ove | |||
| First: Set Up Accounts and Access Credentials | |||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
|
|
|||
| **Note:** As of version 5.14, if Dataverse is running in an EC2 instance it will prefer RBAC for the S3 default profile, even if administrators configure Dataverse with programmatic access keys. This is preferential from a security perspective as there are no keys to rotate or have stolen. If you intend to assign a role to your EC2 instance, you will still need the ``~/.aws/config`` file to specify the region but you need not generate credentials for the default profile. For more information please see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html | |||
There was a problem hiding this comment.
Thanks for the update. Minor text edit suggestions below.
Note: As of version 5.14, if Dataverse is running in an EC2 instance it will prefer Role Based Access Control (RBAC) over the S3 default profile, even if administrators configure Dataverse with programmatic access keys. (Named profiles can still be used to override RBAC for specific stores.) RBAC is preferential from a security perspective as there are no keys to rotate or have stolen. If you intend to assign a role to your EC2 instance, you will still need the ~/.aws/config file to specify the region but you need not generate credentials for the default profile. For more information please see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
| @@ -1093,6 +1093,8 @@ The Dataverse Software S3 driver supports multi-part upload for large files (ove | |||
| First: Set Up Accounts and Access Credentials | |||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
|
|
|||
| **Note:** As of version 5.14, if Dataverse is running in an EC2 instance it will prefer RBAC for the S3 default profile, even if administrators configure Dataverse with programmatic access keys. Named profiles can still be used to override RBAC for specific datastores. This is preferential from a security perspective as there are no keys to rotate or have stolen. If you intend to assign a role to your EC2 instance, you will still need the ``~/.aws/config`` file to specify the region but you need not generate credentials for the default profile. For more information please see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html | |||
There was a problem hiding this comment.
Sorry - there was more changed than just the part in parens (which I was suggesting to keep). In line 1 I changed 'for the S3 default profile' to say 'over' instead of 'for', I spelled out RBAC the first time as Role Based Access Control, and in the third sentence I changed 'This' to 'RBAC' Since the sentence about named profiles made 'This' ambiguous.
What this PR does / why we need it:
explicitly document v5.14+'s preference, to make it clear for administrators
Which issue(s) this PR closes:
Special notes for your reviewer:
none
Suggestions on how to test this:
add/remove roles to/from EC2 instance in AWS when the Dataverse instance in question is configured to use an S3 bucket
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
no
Is there a release notes update needed for this change?:
no
Additional documentation:
Preview at https://dataverse-guide--11111.org.readthedocs.build/en/11111/installation/config.html#amazon-s3-storage-or-compatible