-
|
Greetings, is there currently any possibility to set automatic expiration for s3 secrets? I have tried to kinit to kerberos user, obtain secrets via ozone s3 getsecret and configure these secrets into aws cli configuration. After i have tried to remove my kerberos ticket with kdestroy and i was still able to list s3 gateway with stored aws credentials which i'm not sure should work but this is not my concern now. I can see the only way currently to revoke secrets is by issuing ozone s3 revokesecret command. Is there any integration for example to Apache Ranger or other tool that could audit and control these secrets? Or is currently the only way to set up some custom cronjob? Thank you for info. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
There is support for storing the secrets with external provider such as HashiCorp Vault Ref: https://issues.apache.org/jira/browse/HDDS-8132. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @dzodzo666 , currently ttl for s3 secrets is not supported yet. So yes, you can do this with a cronjob to revoke the secret at a desired frequency. |
Beta Was this translation helpful? Give feedback.
Hi @dzodzo666 , currently ttl for s3 secrets is not supported yet. So yes, you can do this with a cronjob to revoke the secret at a desired frequency.