A question: if I run the conversion cloud product self-hosted as a docker container in my AWS account, it’s my preference to grant access to the container in question to access the S3 buckets via ecs metadata, rather than by a separate key. Is this supported? i.e. if I pass S3_STORAGE_BUCKET but do not pass S3_STORAGE_ACCESS_KEY or S3_STORAGE_SECRET_KEY, will the code correctly rely on the aws credentials chain, using the metadata service to obtain its credentials?
Hi @cpopetz ,
According to documentation, yes, the approach described is supported by the AWS SDK for .NET, which uses the AWS credentials chain to obtain credentials. If S3_STORAGE_ACCESS_KEY and S3_STORAGE_SECRET_KEY are not provided, the SDK will fall back to using other sources in the credentials chain, such as the ECS metadata service, IAM roles, or the shared credentials file.
But for now, conversion cloud product self-hosted as a docker container, do not support unset values of any credentials - it will throw an exception.
Please confirm that you are ready to wait some time - and we make a hotfix that will adjust the code to handle the case where apiKey or apiSecret is null or empty, we can deliver fixed image next week, I think.
@cpopetz
We have opened the following new ticket(s) in our internal issue tracking system and will deliver their fixes according to the terms mentioned in Free Support Policies.
Issue ID(s): CONVERSIONCLOUD-603
Hi Sergei,
That would be great, the timeline is fine because we can’t go live with this anyway until CONVERSIONCLOUD-599 is fixed (the http_only issue).
Thank you for the proposed fix!
-Clint
Hi, yes, CONVERSIONCLOUD-599 is still not fixed.
We have updated the image groupdocs/conversion-cloud:latest and made S3_STORAGE_ACCESS_KEY and S3_STORAGE_SECRET_KEY optional. Althought, we did not test how it works with AWS credentials chain, you can try this now. Please follow these recommendations:
- Your ECS task definition specifies a task role that grants access to the desired S3 bucket.
- The container is running in an environment where the ECS metadata service is accessible.
- Only provide
S3_STORAGE_BUCKETas an environment variable, and leaveS3_STORAGE_ACCESS_KEYandS3_STORAGE_SECRET_KEYunset.
This setup will allow conversion-cloud instance to automatically use the ECS task role credentials through the AWS credentials chain.
We also have another tag: alpine and it’s not updated, please notify if you are using this tag instead of latest.
I will look forward your feedback about using AWS credentials chain.
Thanks Sergei, I will test the above change this week. Do you have an estimate fix date on CONVERSIONCLOUD-599, so that we can schedule the release of our feature that depends on groupdocs?
-Clint
Hi, About CONVERSIONCLOUD-599, we found out that ‘useHttp’ flag is not set in self-hosted version to access AWS S3, so we use all default settings for AmazonS3Client, except that are passed in Env vars - bucket, region and api keys, so It should work by https too.
We will try to update AWSSDK, this may help