Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-81610

AWS S3: Rotated temporary AWS credentials are automatically used by Confluence

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Overview

      Confluence 8.1 introduced support for storing attachment data in Amazon S3. Confluence makes use of the AWS SDK for Java 2.x for communicating with Amazon S3, as such it needs a means of authenticating with AWS. The SDK will search for credentials in your environment using a predefined sequence, namely:

      1. Java system properties
      2. Environment variables
      3. Web identity token from AWS Security Token Service
      4. The shared credentials and config files (~/.aws/credentials)
      5. Amazon ECS container credentials
      6. Amazon EC2 instance profile credentials

      Limitation

      If you using options 1,2 or 4 with temporary credentials to authenticate to AWS, then Confluence will need to be restarted every time these credentials are re-issued so that they can be appropriately picked up and used. 

      Workaround

      Do not use options 1,2 or 4 with temporary credentials to authenticate with AWS. Preferably use option 6 (IAM roles for application access to S3). See the links below for more detail:

          Form Name

            [CONFSERVER-81610] AWS S3: Rotated temporary AWS credentials are automatically used by Confluence

            Wendy H made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 761716 ]
            Oksana Levchuk made changes -
            Remote Link Original: This issue links to "Page (Confluence)" [ 729917 ]
            Dylan Rathbone made changes -
            Fix Version/s New: 8.1.4 [ 104809 ]
            Fix Version/s New: 8.2.0 [ 104098 ]
            Resolution New: Fixed [ 1 ]
            Status Original: Gathering Interest [ 11772 ] New: Closed [ 6 ]
            Wendy H made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 744676 ]
            Wendy H made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 744717 ]
            Wendy H made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 744717 ]
            Dylan Rathbone made changes -
            Link New: This issue is resolved by CONFSERVER-82499 [ CONFSERVER-82499 ]
            Dylan Rathbone made changes -
            Comment [ A fix targeting {{8.1.4}} and {{8.2.0}} has been made and will be available once both respective releases are shipped.  ]
            Dylan Rathbone made changes -
            Description Original: *Overview*

            Confluence {{8.1}} introduced support for storing attachment data in Amazon S3. Confluence makes use of the [AWS SDK for Java 2.x|https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/home.html] for communicating with Amazon S3, as such it needs a means of authenticating with AWS. The SDK will search for credentials in your environment [using a predefined sequence|https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.html], namely:
             # Java system properties
             # Environment variables
             # Web identity token from AWS Security Token Service
             # The shared {{credentials}} and {{config}} files (~/.aws/credentials)
             # Amazon ECS container credentials
             # Amazon EC2 instance profile credentials

            *Limitation*

            If you using options 1,2 or 4 *with temporary credentials* to authenticate to AWS, then Confluence will need to be restarted every time these credentials are re-issued so that they can be appropriately picked up and used. 

            *Workaround*

            Do not use options 1,2 or 4 *with temporary credentials* to authenticate with AWS. Preferably use option 6 (IAM roles for application access to S3{*}){*}. See the links below for more detail:
             * [Use IAM roles for applications and AWS services that require Amazon S3 access|https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#roles]
             * [Using an IAM role to grant permissions to applications running on Amazon EC2 instances|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html]
            New: *Overview*

            Confluence {{8.1}} introduced support for storing attachment data in Amazon S3. Confluence makes use of the [AWS SDK for Java 2.x|https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/home.html] for communicating with Amazon S3, as such it needs a means of authenticating with AWS. The SDK will search for credentials in your environment [using a predefined sequence|https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.html], namely:
             # Java system properties
             # Environment variables
             # Web identity token from AWS Security Token Service
             # The shared {{credentials}} and {{config}} files (~/.aws/credentials)
             # Amazon ECS container credentials
             # Amazon EC2 instance profile credentials

            *Limitation*

            If you using options 1,2 or 4 *with temporary credentials* to authenticate to AWS, then Confluence will need to be restarted every time these credentials are re-issued so that they can be appropriately picked up and used. 

            *Workaround*

            Do not use options 1,2 or 4 *with temporary credentials* to authenticate with AWS. Preferably use option 6 (IAM roles for application access to S3). See the links below for more detail:
             * [Use IAM roles for applications and AWS services that require Amazon S3 access|https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#roles]
             * [Using an IAM role to grant permissions to applications running on Amazon EC2 instances|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html]
            Dylan Rathbone made changes -
            Security Original: Atlassian Staff [ 10750 ]

              Unassigned Unassigned
              b56a0fbdbbcd Dylan Rathbone
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: