This project is a fork from https://github.com/spring-projects/aws-maven to support development and operations at Very Good Security ( VGS ). No guarantees are made for support or updating the component, but as long as we are using it actively we will update it as we need it.
All operational details are available in Compass.
mvn install
mvn deploy
To publish Maven artifacts to S3 a build extension must be defined in a project's pom.xml
. The latest version of the wagon can
be found on Maven Central public repository https://search.maven.org/
To get the dependency add to your pom:
<project>
...
<build>
...
<extensions>
...
<extension>
<groupId>io.vgs.tools</groupId>
<artifactId>aws-maven</artifactId>
<version>1.4.5</version>
</extension>
...
</extensions>
...
</build>
...
</project>
This allows then using dependencies from s3 repositories as well as publish to s3 repositories.
Once the build extension is configured distribution management repositories can be defined in the pom.xml
with an s3://
scheme.
<project>
...
<distributionManagement>
<repository>
<id>aws-release</id>
<name>AWS Release Repository</name>
<url>s3://<BUCKET>/release</url>
</repository>
<snapshotRepository>
<id>aws-snapshot</id>
<name>AWS Snapshot Repository</name>
<url>s3://<BUCKET>/snapshot</url>
</snapshotRepository>
</distributionManagement>
...
</project>
Finally the ~/.m2/settings.xml
should be updated to include access and secret keys for the account. The access key should
be used to populate the username
element, and the secret access key should be used to populate the password
element.
<settings>
...
<servers>
...
<server>
<id>aws-release</id>
<username>0123456789ABCDEFGHIJ</username>
<password>0123456789abcdefghijklmnopqrstuvwxyzABCD</password>
</server>
<server>
<id>aws-snapshot</id>
<username>0123456789ABCDEFGHIJ</username>
<password>0123456789abcdefghijklmnopqrstuvwxyzABCD</password>
</server>
...
</servers>
...
</settings>
Alternatively, the access and secret keys for the account can be provided using
AWS_ACCESS_KEY_ID
(orAWS_ACCESS_KEY
) andAWS_SECRET_KEY
(orAWS_SECRET_ACCESS_KEY
) environment variablesaws.accessKeyId
andaws.secretKey
system properties- The Amazon EC2 Instance Metadata Service
- AWS-Profile ( Can be overridden with
AWS_PROFILE
variable )
For IAM Impersonation make sure your ~/.aws/credentials
looks like this
[root]
aws_access_key_id = AKIAxxxx
aws_secret_access_key = asdfcvbn1234
[impersonated-profile]
role_arn = arn:aws:iam::1234567890:role/CrossAccountSignIn
source_profile = root
You can now install via AWS_PROFILE=impersonated-profile AWS_REGION=us-west-2 mvn clean install
- Use environment variables if they exist
- If environment variables don't exist, try to use config file
This wagon doesn't set an explict ACL for each artfact that is uploaded. Instead you should create an AWS Bucket Policy to set permissions on objects. A bucket policy can be set in the AWS Console and can be generated using the AWS Policy Generator.
In order to make the contents of a bucket public you need to add statements with the following details to your policy:
Effect | Principal | Action | Amazon Resource Name (ARN) |
---|---|---|---|
Allow |
* |
ListBucket |
arn:aws:s3:::<BUCKET> |
Allow |
* |
GetObject |
arn:aws:s3:::<BUCKET>/* |
If your policy is setup properly it should look something like:
{
"Id": "Policy1397027253868",
"Statement": [
{
"Sid": "Stmt1397027243665",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<BUCKET>",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "Stmt1397027177153",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<BUCKET>/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
If you prefer to use the command line, you can use the following script to make the contents of a bucket public:
BUCKET=<BUCKET>
TIMESTAMP=$(date +%Y%m%d%H%M)
POLICY=$(cat<<EOF
{
"Id": "public-read-policy-$TIMESTAMP",
"Statement": [
{
"Sid": "list-bucket-$TIMESTAMP",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::$BUCKET",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "get-object-$TIMESTAMP",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::$BUCKET/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
EOF
)
aws s3api put-bucket-policy --bucket $BUCKET --policy "$POLICY"