Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-81610

AWS S3: Rotated temporary AWS credentials are automatically used by Confluence


    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.


      Confluence 8.1 introduced support for storing attachment data in Amazon S3. Confluence makes use of the AWS SDK for Java 2.x for communicating with Amazon S3, as such it needs a means of authenticating with AWS. The SDK will search for credentials in your environment using a predefined sequence, namely:

      1. Java system properties
      2. Environment variables
      3. Web identity token from AWS Security Token Service
      4. The shared credentials and config files (~/.aws/credentials)
      5. Amazon ECS container credentials
      6. Amazon EC2 instance profile credentials


      If you using options 1,2 or 4 with temporary credentials to authenticate to AWS, then Confluence will need to be restarted every time these credentials are re-issued so that they can be appropriately picked up and used. 


      Do not use options 1,2 or 4 with temporary credentials to authenticate with AWS. Preferably use option 6 (IAM roles for application access to S3). See the links below for more detail:

            Unassigned Unassigned
            b56a0fbdbbcd Dylan Rathbone
            2 Vote for this issue
            6 Start watching this issue