Loading

How to use "Default AWS Credentials Provider Chain" in S3 connector

Fecha de publicación: Mar 2, 2024
Tarea

GOAL

To use "Default AWS Credentials Provider Chain" for S3 connector in Mule Runtime running on the customer's owned hosts.  

Pasos
If "Default AWS Credentials Provider Chain" is not enabled, the S3 connector gets credentials from "accessKey" and "secretKey". Once the "Default AWS Credentials Provider Chain" is enabled, it will get credentials in order as specified in the section "The default credential provider chain looks for credentials in this order", but it still checks if the value of "accessKey" and "secretKey" are presented, just put dummy values in the boxes. 
<s3:config name="Amazon_S3__Configuration" 
         accessKey="DummyKey" secretKey="DummySecrect"   
         tryDefaultAWSCredentialsProviderChain="true"
/>
In this case, customers don't need to put clear text credentials in the application and can leverage AWS EC2 role profile to enhance the security. Please note, this is only possible in Runtime environments running the customers owned servers not in CloudHub, as customers don't have control over the environment of CloudHub workers. 

Use a Role in a role in S3 connector

If you put a role ARN (Amazon Resource Name) in the S3 connector, like RoleARN="arn:aws:iam::<account id>:user/<user name>", S3 will use the credentials from "Default AWS Credentials Provider Chain" or  "accessKey" and "secretKey" to assume the role first, then get the credentials from the Role to access to S3. Please make sure the user or role/profile who owns the credentials can assume the Role, and role has the access to S3 assets. 

The "Role ARN" is usually used in cross accounts access. In this case, you have to check the user in one account has the permission to assume the role in another account, and the role specifies the user ARN as the principal. 
 

The default credential provider chain looks for credentials in this order in the Runtime environment

  1. Environment variables–AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The AWS SDK for Java uses the EnvironmentVariableCredentialsProvider class to load these credentials.
  2. Java system properties–aws.accessKeyId and aws.secretKey. The AWS SDK for Java uses the SystemPropertiesCredentialsProvider to load these credentials.
  3. The default credential profiles file– typically located at ~/.aws/credentials (location can vary per platform), and shared by many of the AWS SDKs and by the AWS CLI. The AWS SDK for Java uses the ProfileCredentialsProvider to load these credentials.
  4. You can create a credentials file by using the aws configure command provided by the AWS CLI, or you can create it by editing the file with a text editor. For information about the credentials file format, see AWS Credentials File Format.
  5. Instance profile credentials– used on EC2 instances, and delivered through the Amazon EC2 metadata service. The AWS SDK for Java uses the InstanceProfileCredentialsProvider to load these credentials.
For more details, please refer to the AWS documentation

Note: The above procedure is supported only with the Amazon S3 Connector version 5.8.4 and below or version 6.2.0 and above.
Número del artículo de conocimiento

001115075

 
Cargando
Salesforce Help | Article