https://github.com/verygoodsecurity/aws-maven

Fork to add support for assumed roles
https://github.com/verygoodsecurity/aws-maven

aws maven pom s3 team-vault

Last synced: 3 months ago
JSON representation

Fork to add support for assumed roles

• Host: GitHub
• URL: https://github.com/verygoodsecurity/aws-maven
• Owner: verygoodsecurity
• License: apache-2.0
• Fork: true (Yleisradio/aws-maven)
• Created: 2017-03-30T20:25:29.000Z (almost 8 years ago)
• Default Branch: master
• Last Pushed: 2024-04-24T19:14:10.000Z (9 months ago)
• Last Synced: 2024-04-24T22:21:10.920Z (9 months ago)
• Topics: aws, maven, pom, s3, team-vault
• Language: Java
• Homepage:
• Size: 288 KB
• Stars: 2
• Watchers: 4
• Forks: 6
• Open Issues: 45
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# AWS Maven Wagon

[![CircleCI](https://circleci.com/gh/verygoodsecurity/aws-maven.svg?style=svg)](https://circleci.com/gh/verygoodsecurity/aws-maven)

This project is a fork from [https://github.com/spring-projects/aws-maven](https://github.com/spring-projects/aws-maven) to 

support development and operations at Very Good Security ( VGS ). No guarantees are made for support or updating

the component, but as long as we are using it actively we will update it as we need it.

## Building and deploying this wagon

mvn install

mvn deploy

## Usage

To publish Maven artifacts to S3 a build extension must be defined in a project's `pom.xml`.  The latest version of the wagon can 

be found on Maven Central public repository https://search.maven.org/

To get the dependency add to your pom:

```xml

  ...

  

    ...

    

      ...

      

      io.vgs.tools

      aws-maven

      1.4.5

      

      ...

    

    ...

  

  ...

```

This allows then using dependencies from s3 repositories as well as publish to s3 repositories.

Once the build extension is configured distribution management repositories can be defined in the `pom.xml` with an `s3://` scheme.

```xml

  ...

  

    

      aws-release

      AWS Release Repository

      s3:///release

    

    

      aws-snapshot

      AWS Snapshot Repository

      s3:///snapshot

    

  

  ...

```

Finally the `~/.m2/settings.xml` should be updated to include access and secret keys for the account. The access key should 

be used to populate the `username` element, and the secret access key should be used to populate the `password` element.

```xml

  ...

  

    ...

    

      aws-release

      0123456789ABCDEFGHIJ

      0123456789abcdefghijklmnopqrstuvwxyzABCD

    

    

      aws-snapshot

      0123456789ABCDEFGHIJ

      0123456789abcdefghijklmnopqrstuvwxyzABCD

    

    ...

  

  ...

```

Alternatively, the access and secret keys for the account can be provided using

* `AWS_ACCESS_KEY_ID` (or `AWS_ACCESS_KEY`) and `AWS_SECRET_KEY` (or `AWS_SECRET_ACCESS_KEY`) [environment variables][env-var]

* `aws.accessKeyId` and `aws.secretKey` [system properties][sys-prop]

* The Amazon EC2 [Instance Metadata Service][instance-metadata]

* AWS-Profile ( Can be overridden with `AWS_PROFILE` variable )

For IAM Impersonation make sure your `~/.aws/credentials` looks like this

  

```config

[root]

aws_access_key_id = AKIAxxxx

aws_secret_access_key = asdfcvbn1234

[impersonated-profile]

role_arn = arn:aws:iam::1234567890:role/CrossAccountSignIn

source_profile = root

``` 

You can now install via `AWS_PROFILE=impersonated-profile AWS_REGION=us-west-2 mvn clean install`

#### Config precedence

1. Use environment variables if they exist

2. If environment variables don't exist, try to use config file

## Making Artifacts Public

This wagon doesn't set an explict ACL for each artfact that is uploaded.  Instead you should create an AWS Bucket Policy to set 

permissions on objects.  A bucket policy can be set in the [AWS Console][console] and can be generated using the 

[AWS Policy Generator][policy-generator].

In order to make the contents of a bucket public you need to add statements with the following details to your policy:

| Effect  | Principal | Action       | Amazon Resource Name (ARN)

| ------- | --------- | ------------ | --------------------------

| `Allow` | `*`       | `ListBucket` | `arn:aws:s3:::`

| `Allow` | `*`       | `GetObject`  | `arn:aws:s3:::/*`

If your policy is setup properly it should look something like:

```json

{

  "Id": "Policy1397027253868",

  "Statement": [

    {

      "Sid": "Stmt1397027243665",

      "Action": [

        "s3:ListBucket"

      ],

      "Effect": "Allow",

      "Resource": "arn:aws:s3:::",

      "Principal": {

        "AWS": [

          "*"

        ]

      }

    },

    {

      "Sid": "Stmt1397027177153",

      "Action": [

        "s3:GetObject"

      ],

      "Effect": "Allow",

      "Resource": "arn:aws:s3:::/*",

      "Principal": {

        "AWS": [

          "*"

        ]

      }

    }

  ]

}

```

If you prefer to use the [command line][cli], you can use the following script to make the contents of a bucket public:

```bash

BUCKET=

TIMESTAMP=$(date +%Y%m%d%H%M)

POLICY=$(cat<