Support custom credential provider for AWS S3 endpoint
I would like to propose and enhancement to the AWS S3 endpoint to support custom credential providers.
Currently the S3 endpoint support static long living key pair option, EC2 IAM role option or a STS based option.
All of these options are not part of the security best practices at our enterprise.
We use Hashicorp Vault to provision temporary, short lived AWS credentials. The AWS S3 endpoint should fetching these temporary credentials from valut and should also support refreshing the credentials seamlessly. The temporary credentials have a session token along with the access key and secret key.
The credential addon will not work for us as it would still require provisioning long-living AWS secret key and access key pair - which is against our security best practices.
We need the ability to integrate a custom credential provider for AWS. Check "Specifying a Credential Provider or Provider Chain" and "Explicitly Specifying Credentials" sections in this AWS documentation. Note: I am providing Java sdk example as it is the best documented.
In our case, we would need the ability to return something similar to BasicSessionCredentials and expect Replicate to understand it and refresh it once the credentials are nearing expiry. The interface exposed by Replicate would look something similar to AWSRefreshableSessionCredentials.
NOTE: Upon clicking this link 2 tabs may open - please feel free to close the one with a login page. If you only see 1 tab with the login page, please try clicking this link first: Authenticate me! then try the link above again. Ensure pop-up blocker is off.
