https://github.com/verygoodsecurity/aws-maven

Fork to add support for assumed roles
https://github.com/verygoodsecurity/aws-maven

aws maven pom s3 team-vault

Last synced: 17 days ago
JSON representation

Fork to add support for assumed roles

• Host: GitHub
• URL: https://github.com/verygoodsecurity/aws-maven
• Owner: verygoodsecurity
• License: apache-2.0
• Fork: true (Yleisradio/aws-maven)
• Created: 2017-03-30T20:25:29.000Z (almost 8 years ago)
• Default Branch: master
• Last Pushed: 2024-12-20T15:58:13.000Z (about 2 months ago)
• Last Synced: 2024-12-20T16:45:10.845Z (about 2 months ago)
• Topics: aws, maven, pom, s3, team-vault
• Language: Java
• Homepage:
• Size: 306 KB
• Stars: 2
• Watchers: 4
• Forks: 6
• Open Issues: 7
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# AWS Maven Wagon

[![CircleCI](https://dl.circleci.com/status-badge/img/gh/verygoodsecurity/aws-maven/tree/master.svg?style=svg&circle-token=CCIPRJ_58VzfmroQGUTjfi2EWXPzX_ec80f0faa9c03a53752af0bf9c1e1777cdde9ca6)](https://dl.circleci.com/status-badge/redirect/gh/verygoodsecurity/aws-maven/tree/master)

This project is a fork from [https://github.com/spring-projects/aws-maven](https://github.com/spring-projects/aws-maven) to 

support development and operations at Very Good Security ( VGS ). No guarantees are made for support or updating

the component, but as long as we are using it actively we will update it as we need it.

All operational details are available in [Compass](https://verygoodsecurity.atlassian.net/compass/component/adf2b946-e19c-4f93-b96b-2e6aa8bb322f).

## Building and deploying this wagon

mvn install

mvn deploy

## Usage

To publish Maven artifacts to S3 a build extension must be defined in a project's `pom.xml`.  The latest version of the wagon can 

be found on Maven Central public repository https://search.maven.org/

To get the dependency add to your pom:

```xml

  ...

  

    ...

    

      ...

      

      io.vgs.tools

      aws-maven

      1.4.5

      

      ...

    

    ...

  

  ...

```

This allows then using dependencies from s3 repositories as well as publish to s3 repositories.

Once the build extension is configured distribution management repositories can be defined in the `pom.xml` with an `s3://` scheme.

```xml

  ...

  

    

      aws-release

      AWS Release Repository

      s3:///release

    

    

      aws-snapshot

      AWS Snapshot Repository

      s3:///snapshot

    

  

  ...

```

Finally the `~/.m2/settings.xml` should be updated to include access and secret keys for the account. The access key should 

be used to populate the `username` element, and the secret access key should be used to populate the `password` element.

```xml

  ...

  

    ...

    

      aws-release

      0123456789ABCDEFGHIJ

      0123456789abcdefghijklmnopqrstuvwxyzABCD

    

    

      aws-snapshot

      0123456789ABCDEFGHIJ

      0123456789abcdefghijklmnopqrstuvwxyzABCD

    

    ...

  

  ...

```

Alternatively, the access and secret keys for the account can be provided using

* `AWS_ACCESS_KEY_ID` (or `AWS_ACCESS_KEY`) and `AWS_SECRET_KEY` (or `AWS_SECRET_ACCESS_KEY`) [environment variables][env-var]

* `aws.accessKeyId` and `aws.secretKey` [system properties][sys-prop]

* The Amazon EC2 [Instance Metadata Service][instance-metadata]

* AWS-Profile ( Can be overridden with `AWS_PROFILE` variable )

For IAM Impersonation make sure your `~/.aws/credentials` looks like this

  

```config

[root]

aws_access_key_id = AKIAxxxx

aws_secret_access_key = asdfcvbn1234

[impersonated-profile]

role_arn = arn:aws:iam::1234567890:role/CrossAccountSignIn

source_profile = root

``` 

You can now install via `AWS_PROFILE=impersonated-profile AWS_REGION=us-west-2 mvn clean install`

#### Config precedence

1. Use environment variables if they exist

2. If environment variables don't exist, try to use config file

## Making Artifacts Public

This wagon doesn't set an explict ACL for each artfact that is uploaded.  Instead you should create an AWS Bucket Policy to set 

permissions on objects.  A bucket policy can be set in the [AWS Console][console] and can be generated using the 

[AWS Policy Generator][policy-generator].

In order to make the contents of a bucket public you need to add statements with the following details to your policy:

| Effect  | Principal | Action       | Amazon Resource Name (ARN)

| ------- | --------- | ------------ | --------------------------

| `Allow` | `*`       | `ListBucket` | `arn:aws:s3:::`

| `Allow` | `*`       | `GetObject`  | `arn:aws:s3:::/*`

If your policy is setup properly it should look something like:

```json

{

  "Id": "Policy1397027253868",

  "Statement": [

    {

      "Sid": "Stmt1397027243665",

      "Action": [

        "s3:ListBucket"

      ],

      "Effect": "Allow",

      "Resource": "arn:aws:s3:::",

      "Principal": {

        "AWS": [

          "*"

        ]

      }

    },

    {

      "Sid": "Stmt1397027177153",

      "Action": [

        "s3:GetObject"

      ],

      "Effect": "Allow",

      "Resource": "arn:aws:s3:::/*",

      "Principal": {

        "AWS": [

          "*"

        ]

      }

    }

  ]

}

```

If you prefer to use the [command line][cli], you can use the following script to make the contents of a bucket public:

```bash

BUCKET=

TIMESTAMP=$(date +%Y%m%d%H%M)

POLICY=$(cat<