In the past I open an minio client inside my JavaScript app with a technical user to access S3. This was working very good. Now I want ot make the app more secure. My app is running inside a ECS Cluster on a Fargate service/task.
I have a task role with “S3 Full Access” that was given to the Bucket with s3Bucket.grantReadWrite(props.role);
I assume that the task role with S3 Full Access
can access the bucket without accesskey and secretkey from technical user.
I try to use the function “AsumeRoleProvider”. But iam confused how to get the webidentityToken
and why the function also request an accesskey
and secretkey
?
My task role has the sts:AssumeRole
in Trusted entities
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
The attached image to try to use currently.
I think the appoach to access S3 from ECS task is wrong. Anybody has an hint ot a weblink where I can see how this have to work?