Qlik Community

Suggest an Idea

Vote for your favorite Qlik product ideas and add your own suggestions.

Announcements
QlikWorld 2022, LIVE in Denver CO., May 16-19, 2022. REGISTER NOW TO RECEIVE EARLY BIRD PRICING

Support custom credential provider for AWS S3 endpoint

Prabodh
Creator
Creator

Support custom credential provider for AWS S3 endpoint

I would like to propose and enhancement to the AWS S3 endpoint to support custom credential providers.

Currently the S3 endpoint support static long living key pair option, EC2 IAM role option or a STS based option.

All of these options are not part of the security best practices at our enterprise.

We use Hashicorp Vault to provision temporary, short lived AWS credentials. The AWS S3 endpoint should fetching these temporary credentials from valut and should also support refreshing the credentials seamlessly. The temporary credentials have a session token along with the access key and secret key.

2 Comments
Shelley_Brennan
Employee
Employee

Thank you for the suggestion.  We would like to collect feedback from others on direct integration with Hashicorp Vault.

We do provide a method for integration with external credentials, though it is not optimized for short-lived credentials: https://help.qlik.com/en-US/replicate/November2020/Content/Replicate/Main/Security/external_credenti...

 

Status changed to: Open - Collecting Feedback
Prabodh
Creator
Creator

Hi Shelley,

The credential addon will not work for us as it would still require provisioning long-living AWS secret key and access key pair - which is against our security best practices.

We need the ability to integrate a custom credential provider for AWS. Check "Specifying a Credential Provider or Provider Chain" and "Explicitly Specifying Credentials" sections in this AWS documentation. Note: I am providing Java sdk example as it is the best documented.

In our case, we would need the ability to return something similar to BasicSessionCredentials and expect Replicate to understand it and refresh it once the credentials are nearing expiry. The interface exposed by Replicate would look something similar to AWSRefreshableSessionCredentials.