Using IAM Instance Role Credentials for GitLab Backup S3 Storage
Description
Update use of fog in GitLab's code for backups to use Fog's built-in credential fetching capabilities.
Proposal
Currently, configuration of GitLab backup requires configuration of access keys and tokens. The library that is used, fog, supports AWS EC2's built in credential fetching.
Ideally, GitLab would not require configured credentials, but would be able to use Fog's built in credential fetching.
Consider the configuration stanza:
gitlab_rails['backup_upload_connection'] = {
'provider' => 'AWS',
'region' => 'us-east-1',
'aws_access_key_id' => 'AKIA...',
'aws_secret_access_key' => 'VALUE'
}
It would be easier and more secure to be able to do the following:
gitlab_rails['backup_upload_connection'] = {
'provider' => 'AWS',
'region' => 'us-east-1',
'use_iam_profile' => true
}
Links / references
Use cases
This makes things more secure because credentials are leased, provided by the EC2 instance in combination with IAM and the EC2 instance role. Admins would not have to rotate access keys and tokens as is required in security frameworks like PCI.
Feature checklist
Make sure these are completed before closing the issue, with a link to the relevant commit.
-
Support for the use_iam_profile
option from Fog -
Documentation -
Added to features.yml