S3 Repository Plugin - Why both SecretAccess Key AND Role for calling Snapshot APIs?

titan1978 · February 27, 2018, 6:54pm

I've been going through quite a few tutorials on how to setup s3 plugin. HEre's one:

Configuring Elasticsearch to Use S3 for Snapshots | ObjectRocket

I completely get that we have to install Roles to allow the plugin on the master nodes to essentially write to the buckets. But the tutorials ALSO indicate when calling the _snapshot/ APIs, you need to pass the Secret Access Key and Access ID. What is the need (if at all) for passing in secret access keys when the EC2 Instances have been given the requisite roles?

PUT /_snapshot/s3_repository
{
  "type": "s3",
  "settings": {
    "bucket": "MYBUCKETNAME",
    "region": "us-east-1",
    "access_key": "KEY",
    "secret_key": "SECRET"
  }
}'

rjernst · February 27, 2018, 8:35pm

Passing the access/secret key is not required. If not specified, authentication will fallback to roles through EC2.

system · March 27, 2018, 8:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.