Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-81610

AWS S3: Rotated temporary AWS credentials are automatically used by Confluence

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Overview

      Confluence 8.1 introduced support for storing attachment data in Amazon S3. Confluence makes use of the AWS SDK for Java 2.x for communicating with Amazon S3, as such it needs a means of authenticating with AWS. The SDK will search for credentials in your environment using a predefined sequence, namely:

      1. Java system properties
      2. Environment variables
      3. Web identity token from AWS Security Token Service
      4. The shared credentials and config files (~/.aws/credentials)
      5. Amazon ECS container credentials
      6. Amazon EC2 instance profile credentials

      Limitation

      If you using options 1,2 or 4 with temporary credentials to authenticate to AWS, then Confluence will need to be restarted every time these credentials are re-issued so that they can be appropriately picked up and used. 

      Workaround

      Do not use options 1,2 or 4 with temporary credentials to authenticate with AWS. Preferably use option 6 (IAM roles for application access to S3). See the links below for more detail:

            [CONFSERVER-81610] AWS S3: Rotated temporary AWS credentials are automatically used by Confluence

            A fix for this issue is available in Confluence Server and Data Center 8.1.4.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            dromanenko (Inactive) added a comment - A fix for this issue is available in Confluence Server and Data Center 8.1.4. Upgrade now or check out the Release Notes to see what other issues are resolved.

            A fix for this issue is available in Confluence Server and Data Center 8.2.0.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Yaroslava Derkach (Inactive) added a comment - A fix for this issue is available in Confluence Server and Data Center 8.2.0. Upgrade now or check out the Release Notes to see what other issues are resolved.

            Dylan Rathbone added a comment - - edited

            Now, when using temporary credentials that expire, a new credential set can be issued and Confluence will utilise them without the need for a restart. 

            This fix, targeting 8.1.4 and 8.2.0, will be available once both respective releases are shipped.

             

            Dylan Rathbone added a comment - - edited Now, when using temporary credentials that expire, a new credential set can be issued and Confluence will utilise them without the need for a restart.  This fix, targeting 8.1.4  and  8.2.0 , will be available once both respective releases are shipped.  

              Unassigned Unassigned
              b56a0fbdbbcd Dylan Rathbone
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: