Sending data to s3 required hard coded access keys. Why not IAM ROLES?

  • 23 September 2019
  • 3 replies

Userlevel 1

According to this doc we need AWS Access Keys and Secret Keys:

All of our infrastructure in AWS uses IAM Roles.

We don’t have any Access Keys or Secret keys anywhere (for security purposes, mostly)

Is there a way to use IAM Roles to send data to s3?

3 replies

We also use AWS IAM Roles for user accounts. However, when a system (docker container) is accessing S3 buckets, we use service accounts that are not role based. We have service accounts for Looker, ETL, etc. so that we can lock down those services using the AWS CLI. I am not sure if this helps but it did work for us.

Userlevel 1

Thanks @miben! That’s exactly what we are doing, once we realized looker instances were not using IAM Roles.

Using an IAM “service” user’s access/secret key pair is still far less secure than using an IAM role principle because you can’t control from where a key pair is used where you can do that directly in an IAM role’s trust statement.  So if the key pair were to be compromised it could be used elsewhere, like on another host, to leverage the same permissions in a malicious way.

It would be far more secure if Looker were to support assuming an IAM role that we would configure instead of a key pair.