Hacker News new | ask | show | jobs
by Mutjake 1345 days ago
Hindsight is 20/20, but definitely one of those places where flat out giving the credentials should not even be an option (or it should be made artificially tedious and/or explicitly clear that it’s a bad idea by e.g. naming the param _this_is_a_bad_idea_use_credentials_file_instead_secret_key or so). Of course there are always edge cases in the vein of running notebooks in containers (probably not an optimal example, but some edge case like that) where you might need the escape hatch of embedding the credentials straight to the code.

But yeah, if the wrong thing is easier or more straightforward than the right way, people tend to follow it when they have a deadline to meet. To end on a positive note, at least cli v2 makes bootstrapping the credentials to a workstation a tad easier!
2 comments
mastax 1344 days ago
I remember a Rust AWS library worked like you describe (An old version of rusoto, I think, deprecated now).

I wasn't familiar with how AWS credentials are usually managed so I was very confused why I had to make my own struct and implement the `CredentialSource` trait on it. It felt like I was missing something... because I was. You're not supposed to enter the credentials directly, you're supposed to use the built-in EnvCredentialSource or whatever.

link
scarface74 1345 days ago
> at least cli v2 makes bootstrapping the credentials to a workstation a tad easier!

I know I should know this seeing that I work in ProServe at AWS, but what do you mean?

I’m going to say there is never a use case for embedding credentials just so I can invoke Cunningham’s Law on purpose.

But when I need to test something in Docker locally I do

    docker run -e AWS_ACCESS_KEY_ID=<your_access_key> -e AWS_SECRET_ACCESS_KEY=<your_secret_key> -e AWS_DEFAULT_REGION=<aws_region> <docker_image_name>
And since you should be using temporary access keys anyway that you can copy and paste from your standard Control Tower interface, it’s easy to pass those environment variables to your container.
link
Mutjake 1332 days ago
I meant the aws configure import which they added — point it to the credentials csv and the cli handles adding the entry to the credentials file.

Sometimes you might need to use stuff that for some reason fails to use the envars, I think I’ve bumped into some stuff which reads s3 via self-rolled http calls. Dunno if it was to save from having boto as a dependency, but those things are usually straightforwardly engineered so no logic in figuring out the other, more smart ways to handle the keys. Here are the parameter slots, enter keys to continue.

link