Is there way to allow runtime credentials on S3 resource?

[akoranne]

The S3 resource requires the creds (access key, secret key) to be passed in.

A client of mine needs an air-gap environment on a public cloud - gov instance. I know it sounds oxymoronic, but I can assure you, it is a valid case. We are using S3 as image store (no docker). The client also is very strict on security.

We had to modify the pipelines "assume role" on the fly. We also modified pipelines to use S3 for images (cflinuxfs2, ert etc). It works.

One caveat though, we still have to provide access key, and secret key in the params that allows access to the S3 bucket which includes the bucket to hold terraform state. Passing these creds are against the client's security procedures.

So, was wondering, if there is a way to not pass the creds on S3 resource but leverage it at runtime?

[hunan-rostomyan]

You can set up a credentials manager (e.g. CredHub, Vault) and store the parameters there to be injected at runtime. This tutorial explains how to do it with CredHub.

Request for a Vault tutorial has been created on the tutorial github page, so you might also want to follow that issue for updates.