IAM profile support

  • Resolved akuzminsky

    (@akuzminsky)


    4 years, 6 months ago

    I’m evaluating W3 Total Cache for S3 backed CDN. It looks it supports it
    but I have an issue using it.

    We use IAM roles so a EC2 instance has access to the CDN S3 bucket.

    The cache setting however require specific AWS credentials. Can I use
    IAM instance profile with W3 Total Cache?

    Another problem I noticed the caches seems to require permissions to
    list all S3 buckets.

    Are there any guidelines what permissions should AWS client have to work
    with W3 Total Cache?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @akuzminsky

    Thank you for your inquiry and I am happy to assist you with this.
    Only GetObject should be public. You can check the example of how to set it up here
    IAM uses S3-all permissions for all operations, but if you specify the bucket yourself and don’t create it from W3 Total Cache – only read-write-list is enough for the specific bucket.
    I hope this helps!
    Thank you!

    Thread Starter akuzminsky

    (@akuzminsky)

    Hi Marko,

    Thank you for the response. That clarifies necessary permissions on the S3 bucket.

    I’d like to figure out the WTC configuration part.

    I run WordPress on an EC2 instance that has an instance profile with necessary permissions. To access the S3 bucket aws cli tool, boto and libraries alike do not need AWS access key, they get it from the instance metadata. That’s whole point of using instance profiles.

    The plugin however requires to specify AWS access key and secret. Are there any workarounds?

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @akuzminsky

    Thank you for the information.
    There is no workaround W3, Total Cache requires Access key ID: and Secret key: to connect to AWS.
    Thanks!

    @akuzminsky Actually, this is very easy.

    Find all mentions of this in the plugin:
    ‘credentials’ => $credentials,

    and replace with
    #’credentials’ => $credentials,

    And the AWS PHP SDK will default to the environment variables. I am doing this in my Fargate dockers.

    So, @vmarko, it would be great if you could support this by default. Basically, if no api key or secret is provided, then don’t use the $credentials variable and let it try defaults. Pretty quick win.

    @vmarko is there any update on whether IAM role support will be added?

    This would be a big plus for many people as it’s fair more secure and easier to manage. E.g. no chance of exposing secrets to malicious 3rd party code and no key rotation management required.

    Hi, @vmarko any update on IAM role support?

    @jfelient, you may replace $credentials = new \Aws\Credentials\Credentials(...); with $credentials = \Aws\Credentials\CredentialProvider::defaultProvider();
    That will let W3 use IAM Profile and ignore keys from the config page.

    • This reply was modified 3 years, 9 months ago by mkostrikin.

    Thanks, @mkostrikin!

    This is a good workaround for now but I do hope they setup IAM Role support in the near future.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘IAM profile support’ is closed to new replies.

Tags