Using GPG-encrypted credentials (or specific environment variables) with boot-clj and s3-wagon-private

Question

In the boot wiki ( https://github.com/boot-clj/boot/wiki/S3-Repositories ), it specifies that you can in-line AWS credentials for using S3 as a Maven repo. This is sub-optimal from a security perspective, because I don't want to check in AWS creds, even if they have limited permissions.

In leiningen with s3-wagon-private, you could specify the access key and secret key through environment variables with:

{:url "s3p://acme/repo/"
 :username :env
 :passphrase :env} 

Or, from specific env variables, with:

{:url "s3p://acme/repo/"
 :username :env/aws_access_key_id
 :passphrase :env/aws_secret_access_key}

Or with a GPG encrypted ~/.lein/credentials.clj.gpg file with:

{:url "s3p://acme/repo/"
 :creds :gpg}

The push task in boot seems to support GPG encrypted credentials for deploying to Clojars ( https://github.com/boot-clj/boot/wiki/Deploying-with-Boot ) in $BOOT_HOME/credentials.clj.gpg . So, in general, boot supports GPG it would seem.

When I try either environment variable approach, I get the following error, suggesting this form of credentials is not supported:

java.lang.IllegalArgumentException: No matching ctor found for class org.sonatype.aether.repository.Authentication
                                                 ...                                        
      cemerick.pomegranate.aether/set-authentication  aether.clj:  165
         cemerick.pomegranate.aether/make-repository  aether.clj:  185
cemerick.pomegranate.aether/resolve-dependencies*/fn  aether.clj:  712
...

The GPG approach seems to fail to pick up the credentials, and results in a 403 error from S3.

I could use (System/getenv "AWS_ACCESS_KEY_ID") to directly read in the env variables in the repository map I suppose, but I would rather use a supported mechanism if there is one. GPG-encrypted credentials would be the ideal solution for us if this can be achieved from both a security perspective as well as having multiple S3 Wagons set up without juggling environment variables.

I'm using the latest Boot (2.4.2) on OS X El-Capitan. GPG can decrypt the credentials successfully on the command line, even in quiet mode ( gpg --quiet --batch --decrypt ~/.boot/credentials.clj.gpg works). Putting the credentials directly in the repository map does work, and the same credentials.clj.gpg file works from lein. I am new to Boot though, so it's possible I'm missing something obvious!

Answer 1

Please update to Boot-clj 2.5.0, which has greatly simplified gpg signing and encrypting. It now leverages the gpg binary, and picks up your setup without further configuration.

GPG-encrypted credentials and environment variables are supported via the built-in configure-repositories! facility. It accepts a function that will operate on the repositories map. You can do whatever you want in the body as long as you return a repositories map.

So, in your case, For GPG-encrypted credentials:

(configure-repositories!
  (let [creds-file (File. (boot.App/bootdir) "credentials.gpg")
        creds-data (gpg-decrypt creds-file :as :edn)]
          (fn [{:keys [url] :as repo-map}]
             (merge repo-map (creds-data url)))))

And for environment variables:

(configure-repositories!
  (fn [{:keys [url] :as repo-map}]
    (->> (condp re-find url
            #"^https://example\.org/repo"
            {:username (get-sys-env "EXAMPLE_USER" :required)
            :password (get-sys-env "EXAMPLE_PASS" :required)}
            #".*" nil)
         (merge repo-map))))

A good place to put this is in your boot.profile .

More information on the wiki