New Functionality to support a Key Prefix and EC2InstanceProfile IAM #9
Conversation
… is being run within AWS EC2) as an alternative to IAM AccessKey and SecretAccessKey
| @@ -26,25 +26,42 @@ public class AmazonBlobStorageProvider : CloudBlobStorageProvider | |||
| /// <param name="config">The collection of parameters (each by its name and value) of the current provider's configuration settings.</param> | |||
| protected override void InitializeStorage(NameValueCollection config) | |||
| { | |||
| var useIamInstanceRoleValue = "false"; | |||
There was a problem hiding this comment.
Optional configuration item to allow the use of the EC2 Instance Profile Role, defaults to false, maintaining backwards compatibility
| this.accessKeyId = config[AccessKeyIdKey].Trim(); | ||
| if (String.IsNullOrEmpty(this.accessKeyId)) | ||
| if (!this.useIamInstanceRole && String.IsNullOrEmpty(this.accessKeyId)) |
There was a problem hiding this comment.
Change to AccessKeyId and SecretKeyId parameters to only validate if we are not using the EC2 Instance Profile Role
| throw new ConfigurationException("'{0}' is required.".Arrange(SecretKeyKey)); | ||
|
|
||
| this.bucketName = config[BucketNameKey].Trim(); | ||
| if (String.IsNullOrEmpty(this.bucketName)) | ||
| throw new ConfigurationException("'{0}' is required.".Arrange(BucketNameKey)); | ||
|
|
||
| if (config.AllKeys.Contains(KeyPrefixKey)) |
There was a problem hiding this comment.
Optional configuration item to allow the use of a key prefix on files uploaded to the S3 Bucket
| string regionEndpointString = config[RegionEndpointKey].Trim(); | ||
| var endpointField = typeof(RegionEndpoint).GetField(regionEndpointString, BindingFlags.Static | BindingFlags.Public); | ||
| if ((string.IsNullOrWhiteSpace(regionEndpointString)) || (endpointField == null)) | ||
| throw new ConfigurationException("'{0}' is required.".Arrange(RegionEndpointKey)); | ||
|
|
||
| var regionEndpoint = (RegionEndpoint)endpointField.GetValue(null); | ||
| this.transferUtility = new TransferUtility(accessKeyId, secretKey, regionEndpoint); | ||
|
|
There was a problem hiding this comment.
If we're using the EC2 Instance Profile Role, don't pass accesskey and secretaccesskey into the TransferUtility constructor, the AWS SDK will use the instance's role by default
There was a problem hiding this comment.
@BenWolstencroft,
We've managed to test EC2InstanceProfile IAM functionality and as you said this works fine if Sitefinity is deployed to an EC2 instance, and the EC2 instance's profile role has the correct S3 Bucket policy applied.
But what if useIamInstanceRoleValue is set to true and Sitefinity is hosted outside AWS (or EC2 instance's profile role in not attached to EC2 instance), then error is thrown:
Exception 1 of 4:
System.ArgumentException: App.config does not contain credentials information. Either add the AWSAccessKey and AWSSecretKey or AWSProfileName.
at Amazon.Runtime.StoredProfileAWSCredentials..ctor(String profileName, String profilesLocation) in d:\Jenkins\jobs\build-sdk-v2\workspace\sdk\src\AWSSDK_DotNet35\Amazon.Runtime\AWSCredentials.cs:line 318
at Amazon.Runtime.EnvironmentAWSCredentials..ctor() in d:\Jenkins\jobs\build-sdk-v2\workspace\sdk\src\AWSSDK_DotNet35\Amazon.Runtime\AWSCredentials.cs:line 590
at Amazon.Runtime.FallbackCredentialsFactory.b__1() in d:\Jenkins\jobs\build-sdk-v2\workspace\sdk\src\AWSSDK_DotNet35\Amazon.Runtime\AWSCredentials.cs:line 1117
at Amazon.Runtime.FallbackCredentialsFactory.GetCredentials(Boolean fallbackToAnonymous) in d:\Jenkins\jobs\build-sdk-v2\workspace\sdk\src\AWSSDK_DotNet35\Amazon.Runtime\AWSCredentials.cs:line 1137
We need proper documentation, how exactly this setup works, and probably cover this scenario described above.
|
Found an issue with the PR, will resubmit |
|
issue investigated and there was no problem - misconfiguration on my end! |
Update copyright message
|
Why was this not this PR merged?? This is a really useful feature!! |
|
@jxt-aref - don't think sitefinity 'care' much about this repo, seems it's more of a documentation example than a 'working' plugin |
A number of commits here:
Adds the ability to optionally supply a KeyPrefix parameter which allows the amazon-s3-provider to store files in a subfolder in the specified S3 bucket
Adds the ability to optionally use an EC2 Instance Role (i.e. not supply AccessKey and SecretAccessKey IAM credentials), this works if Sitefinity is deployed to an EC2 instance, and the EC2 instance's profile role has the correct S3 Bucket policy applied.