AWS IAM Instance Role Support?

#1

Phabricator currently requires hardcoding AWS key/secret data into its config files to interface with S3/SES. When will it support automatically fetching standard AWS Instance credentials via an IAM Role?

Right now we’re forced to manually create an IAM user one-off for Phabricator, then manually generate a key/secret to drop into a secret management system, which then gets inserted into the config files.

This method is harder to support with tools like CloudFormation/Terraform, and AWS best practices are to use IAM Roles everywhere practical. Most packaged software that might run on AWS supports using these credentials if available. GCE supports a similar scheme for providing instance credentials to running software, so it’s not as if this is a crazy Amazon-only method of providing credentials.

#2

When will it support automatically fetching standard AWS Instance credentials via an IAM Role?

I’m not aware of any plans to do that.

If you look at https://secure.phabricator.com/book/phabricator/article/advanced_configuration/, there’s a way to load configurations from a PHP file; You can run whatever code you want there, including making API calls to AWS.

#3

See https://secure.phabricator.com/T5155.

If you still have a copy of the thread “Prioritization of AWS IAM instance profile support” from March 15th, 2017, that largely still applies.

#4

I have a custom S3/SES engine that uses the AWS SDK and supports instance profile credentials. See https://secure.phabricator.com/P2082 and https://secure.phabricator.com/P2083. You need to install and load the AWS SDK in order to use these extensions.

#5

The custom S3/SES engines that I mentioned here previously are going to be open-sourced in the next week and will be available at https://github.com/freelancer/phlab.