In the boot wiki ( https://github.com/boot-clj/boot/wiki/S3-Repositories ), it specifies that you can in-line AWS credentials for using S3 as a Maven repo. This is sub-optimal from a security perspective, because I don't want to check in AWS creds, even if they have limited permissions.
In leiningen with s3-wagon-private, you could specify the access key and secret key through environment variables with:
{:url "s3p://acme/repo/"
:username :env
:passphrase :env}
Or, from specific env variables, with:
{:url "s3p://acme/repo/"
:username :env/aws_access_key_id
:passphrase :env/aws_secret_access_key}
Or with a GPG encrypted ~/.lein/credentials.clj.gpg
file with:
{:url "s3p://acme/repo/"
:creds :gpg}
The push
task in boot seems to support GPG encrypted credentials for deploying to Clojars ( https://github.com/boot-clj/boot/wiki/Deploying-with-Boot ) in $BOOT_HOME/credentials.clj.gpg
. So, in general, boot supports GPG it would seem.
When I try either environment variable approach, I get the following error, suggesting this form of credentials is not supported:
java.lang.IllegalArgumentException: No matching ctor found for class org.sonatype.aether.repository.Authentication
...
cemerick.pomegranate.aether/set-authentication aether.clj: 165
cemerick.pomegranate.aether/make-repository aether.clj: 185
cemerick.pomegranate.aether/resolve-dependencies*/fn aether.clj: 712
...
The GPG approach seems to fail to pick up the credentials, and results in a 403 error from S3.
I could use (System/getenv "AWS_ACCESS_KEY_ID")
to directly read in the env variables in the repository map I suppose, but I would rather use a supported mechanism if there is one. GPG-encrypted credentials would be the ideal solution for us if this can be achieved from both a security perspective as well as having multiple S3 Wagons set up without juggling environment variables.
I'm using the latest Boot (2.4.2) on OS X El-Capitan. GPG can decrypt the credentials successfully on the command line, even in quiet mode ( gpg --quiet --batch --decrypt ~/.boot/credentials.clj.gpg
works). Putting the credentials directly in the repository map does work, and the same credentials.clj.gpg
file works from lein. I am new to Boot though, so it's possible I'm missing something obvious!
Please update to Boot-clj 2.5.0, which has greatly simplified gpg signing and encrypting. It now leverages the gpg
binary, and picks up your setup without further configuration.
GPG-encrypted credentials and environment variables are supported via the built-in configure-repositories!
facility. It accepts a function that will operate on the repositories map. You can do whatever you want in the body as long as you return a repositories map.
So, in your case, For GPG-encrypted credentials:
(configure-repositories!
(let [creds-file (File. (boot.App/bootdir) "credentials.gpg")
creds-data (gpg-decrypt creds-file :as :edn)]
(fn [{:keys [url] :as repo-map}]
(merge repo-map (creds-data url)))))
And for environment variables:
(configure-repositories!
(fn [{:keys [url] :as repo-map}]
(->> (condp re-find url
#"^https://example\.org/repo"
{:username (get-sys-env "EXAMPLE_USER" :required)
:password (get-sys-env "EXAMPLE_PASS" :required)}
#".*" nil)
(merge repo-map))))
A good place to put this is in your boot.profile
.
More information on the wiki
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.