-
Suggestion
-
Resolution: Fixed
-
None
Overview
Confluence 8.1 introduced support for storing attachment data in Amazon S3. Confluence makes use of the AWS SDK for Java 2.x for communicating with Amazon S3, as such it needs a means of authenticating with AWS. The SDK will search for credentials in your environment using a predefined sequence, namely:
- Java system properties
- Environment variables
- Web identity token from AWS Security Token Service
- The shared credentials and config files (~/.aws/credentials)
- Amazon ECS container credentials
- Amazon EC2 instance profile credentials
Limitation
If you using options 1,2 or 4 with temporary credentials to authenticate to AWS, then Confluence will need to be restarted every time these credentials are re-issued so that they can be appropriately picked up and used.
Workaround
Do not use options 1,2 or 4 with temporary credentials to authenticate with AWS. Preferably use option 6 (IAM roles for application access to S3). See the links below for more detail:
- is resolved by
-
CONFSERVER-82499 AWS S3: Bulk Attachment operations - "Unable to execute HTTP request: Timeout waiting for connection from pool"
-
- Closed
-
Form Name |
---|
[CONFSERVER-81610] AWS S3: Rotated temporary AWS credentials are automatically used by Confluence
Remote Link | New: This issue links to "Page (Atlassian Documentation)" [ 761716 ] |
Remote Link | Original: This issue links to "Page (Confluence)" [ 729917 ] |
Fix Version/s | New: 8.1.4 [ 104809 ] | |
Fix Version/s | New: 8.2.0 [ 104098 ] | |
Resolution | New: Fixed [ 1 ] | |
Status | Original: Gathering Interest [ 11772 ] | New: Closed [ 6 ] |
Remote Link | New: This issue links to "Page (Atlassian Documentation)" [ 744676 ] |
Remote Link | Original: This issue links to "Page (Atlassian Documentation)" [ 744717 ] |
Remote Link | New: This issue links to "Page (Atlassian Documentation)" [ 744717 ] |
Link |
New:
This issue is resolved by |
Comment | [ A fix targeting {{8.1.4}} and {{8.2.0}} has been made and will be available once both respective releases are shipped. ] |
Description |
Original:
*Overview*
Confluence {{8.1}} introduced support for storing attachment data in Amazon S3. Confluence makes use of the [AWS SDK for Java 2.x|https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/home.html] for communicating with Amazon S3, as such it needs a means of authenticating with AWS. The SDK will search for credentials in your environment [using a predefined sequence|https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.html], namely: # Java system properties # Environment variables # Web identity token from AWS Security Token Service # The shared {{credentials}} and {{config}} files (~/.aws/credentials) # Amazon ECS container credentials # Amazon EC2 instance profile credentials *Limitation* If you using options 1,2 or 4 *with temporary credentials* to authenticate to AWS, then Confluence will need to be restarted every time these credentials are re-issued so that they can be appropriately picked up and used. *Workaround* Do not use options 1,2 or 4 *with temporary credentials* to authenticate with AWS. Preferably use option 6 (IAM roles for application access to S3{*}){*}. See the links below for more detail: * [Use IAM roles for applications and AWS services that require Amazon S3 access|https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#roles] * [Using an IAM role to grant permissions to applications running on Amazon EC2 instances|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html] |
New:
*Overview*
Confluence {{8.1}} introduced support for storing attachment data in Amazon S3. Confluence makes use of the [AWS SDK for Java 2.x|https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/home.html] for communicating with Amazon S3, as such it needs a means of authenticating with AWS. The SDK will search for credentials in your environment [using a predefined sequence|https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.html], namely: # Java system properties # Environment variables # Web identity token from AWS Security Token Service # The shared {{credentials}} and {{config}} files (~/.aws/credentials) # Amazon ECS container credentials # Amazon EC2 instance profile credentials *Limitation* If you using options 1,2 or 4 *with temporary credentials* to authenticate to AWS, then Confluence will need to be restarted every time these credentials are re-issued so that they can be appropriately picked up and used. *Workaround* Do not use options 1,2 or 4 *with temporary credentials* to authenticate with AWS. Preferably use option 6 (IAM roles for application access to S3). See the links below for more detail: * [Use IAM roles for applications and AWS services that require Amazon S3 access|https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#roles] * [Using an IAM role to grant permissions to applications running on Amazon EC2 instances|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html] |
Security | Original: Atlassian Staff [ 10750 ] |