Uploaded image for project: 'Camel'
  1. Camel
  2. CAMEL-12907

AWS S3 assume role based access

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: camel-aws
    • Labels:
      None
    • Estimated Complexity:
      Moderate

      Description

      We have a springboot application where camel context is initialized. Now we have a rest endpoint which takes xml routes and add to context.

      Now, for a route consisting of an S3 endpoint, we need to pass Access Key and Secret Key for S3 access in component URI parameters but this is static in nature and will not solve our problem.

      So, another way provided by camel is to pass an S3 client as URI parameter which can be used for AWS S3 access. Now, this S3 client first needs to be created and added to the camel registry from where it can be referred by camel context.

      But, as per our architecture, we can't create this S3 client as part of the application. If we use this approach then we will have to create a whole new DSL in application which will take some AWS parameters and create and S3 client for us.

      Instead, what we want is that camel should provide a way to pass some URI parameters(in our case - Role ARN) to S3 component, which internally will generate an S3 client and use it for S3 access. So, in short we don't want to create our own DSL for this purpose but want camel to support this feature.

      Note: We know that camel internally supports creation of a client using the role assigned to the machine where camel is running. This works only when we have S3 bucket in the same AWS account where camel us running. But, if we want to access a cross account S3 bucket then we can't use this feature. We'll have to create our own client.

      Note 2: For a client assuming an AWS IAM role
          1. client first needs to have permission to assume this role
          2. the role should add this particular client in its trust relationship

      Catch: For enabling camel to support Role ARN as URI parameter for S3 component so that camel can internally create an S3 client, camel still needs some AWS credentials to assume this role. Now, camel doesn't have any AWS credentials set up internally, so we need to pass some credentials which can be used to assume the role we want to assume. That brings us to the same problem which we were trying to overcome in the first place.

       

        Attachments

        1. awsS3.xml
          0.3 kB
          VINEET GANDHI

          Activity

            People

            • Assignee:
              acosentino Andrea Cosentino
              Reporter:
              vgandhi1 VINEET GANDHI
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: