Hi there,
First off, thanks for the great work—Carbone.io is running smoothly on our on-premise setup!
We're currently using Terraform to deploy an ECS service along with its associated s3_bucket. As part of this setup, we create an aws_iam_access_key to inject credentials into the service via environment variables.
We'd like to improve security and simplify our infrastructure by removing the use of aws_iam_access_key, and instead rely on the ECS task role with the appropriate IAM policy attached for S3 access.
However, when we remove the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables—or even set them to dummy values—the service fails with a 502 error when making a request to the Carbone API.
In other ECS-based services we run, we use S3 clients without explicitly setting access keys, and they work correctly via the IAM role attached to the task. This makes us think the issue might come from how Carbone handles AWS credentials internally.
Is there a known workaround for this, or any plans to support IAM roles for ECS tasks without relying on explicit access keys?
Thanks again for your work!
Hi there,
First off, thanks for the great work—Carbone.io is running smoothly on our on-premise setup!
We're currently using Terraform to deploy an ECS service along with its associated
s3_bucket. As part of this setup, we create anaws_iam_access_keyto inject credentials into the service via environment variables.We'd like to improve security and simplify our infrastructure by removing the use of
aws_iam_access_key, and instead rely on the ECS task role with the appropriate IAM policy attached for S3 access.However, when we remove the
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables—or even set them to dummy values—the service fails with a 502 error when making a request to the Carbone API.In other ECS-based services we run, we use S3 clients without explicitly setting access keys, and they work correctly via the IAM role attached to the task. This makes us think the issue might come from how Carbone handles AWS credentials internally.
Is there a known workaround for this, or any plans to support IAM roles for ECS tasks without relying on explicit access keys?
Thanks again for your work!