Support IAM Roles for Imageuploader S3 External Image Storage

[randywallace]

• What Grafana version are you using? 4.0.1
• What datasource are you using? Cloudwatch / InfluxDB
• What OS are you running grafana on? Docker
• What did you do? Configure External Image Storage without AWS Credentials
• What was the expected result? Failover to IAM Role in AWS SDK
• What happened instead? Received error: lvl=eror msg="Failed to upload alert panel image." logger=alerting.notifier error="Could not find accessKey setting for image.uploader.s3"

Considering that the Cloudwatch Datasource Plugin already supports IAM Roles and that AWS Best Practices put a high amount of pressure upon using IAM Roles instead of AWS Credentials, I suspect this should be pretty easy to fix as the AWS SDK for Go quite easily provides IAM Role support in the Credential provider.

Relevant code portion:

grafana/pkg/components/imguploader/imguploader.go

Line 30 in 92121ea

accessKey := s3sec.Key("access_key").MustString("")

https://aws.amazon.com/blogs/security/a-new-and-standardized-way-to-manage-credentials-in-the-aws-sdks/

https://github.com/aws/aws-sdk-go/blob/master/example/service/s3/listObjects/listObjects.go#L29

Heck, all the work was already done for this on the cloudwatch datasource plugin.. https://github.com/grafana/grafana/blob/master/pkg/api/cloudwatch/cloudwatch.go#L144

Unfortunately, I am not (nor am I willing to be) a Golang dev; although I can't provide a PR to go with this, I kindly ask that you guys to put this on the roadmap in order to make IAM management for us DevOps / SecDevOps guys in AWS-land more manageable and to make our Accounts more secure!

[nhuray]

Hi @torkelo,

Can I ask why you closed this issue ? It seems very relevant for me to use IAM roles instead of credentials and it is coherent with Cloudwatch datasource implementation as @randywallace mentioned.

Could we consider to re-open this issue ? I'm not a Go developer but I can try to submit a PR.

Thanks