This is Yum plugin that lets you use private S3 buckets as package repositories. Plugin uses AWS Identity and Access Management (IAM) roles for authorization, so you do not need to enter your access/secret key pair anywhere in configuration.
Roles can be assumed by AWS EC2 instances to gain special permissions. About how it works I suggest you dig through docs.
What is important for us: when you assign role to an EC2 instance, a constantly rotated (by AWS) access credentials become available for access within the instance. This means you don't need to store them anywhere, to change and/or rotate them, and you have a fine-grain control on what actions can be made using those credentials.
This is a rough description:
- Create IAM Role (e.g. 'applicationserver') and set a policy that gives s3:GetObject permissions to that role.
- Launch instances with this role assigned (this is very important, read below).
- Inside the instance:
- Copy
s3iam.pyto/usr/lib/yum-plugins/ - Copy
s3iam.confto/etc/yum/pluginconf.d/ - Configure your
iamrolefor your repository as in examples3iam.repofile.
- Copy
If you forget to assign a role or run this code on non EC2 instance, nothing disastrous will happen, but you will see errors saying that the plugin was unable to connect to S3 repository.
The tests will fail, except maybe for the aws signature generation test. And although this code successfully runs on a live machine, I would like some advice of how I could write tests for Yum plugin/AWS API consumer like this one.
Apache 2.0 license. See LICENSE.
- Julius Seporaitis
- Robert Melas' code was used as a reference. See NOTICE.