The awspub snap is a tool to publish images (usually local .vmdk files) to EC2. For that, access to the EC2 API is required. And the configuration/credentials to have access is stored under $HOME/.aws . That’s why awspub requires read access to that directory. The plug looks like:
dot-config-aws:
interface: personal-files
read:
- $HOME/.aws
Hi @toabctl
Whilst access to dot directories not owned by the snapped application is not typically granted, it should not be surprising that an application with this name and functionally requires access to aws configuration/credentials. Thus I will be happy to support this request after renaming the interface to fit the convention we typically use in these requests (dot-aws) and vetting the publisher.
I updated the name:
plugs:
dot-aws:
interface: personal-files
read:
- $HOME/.aws
@jslarraz Anything else I need to do?
That’s all for now, you need to wait during the voting period for other reviewers approval. If you get the required votes, a reviewer will contact you for the vetting and the auto-connection would be granted afterwards
+1 for granting read access to $HOME/.aws via personal-files interface
Given the reasoning mentioned by @jslarraz, +1 from me as well for read access of dot-aws using personal-files.
@toabctl ,
Since it seems awspub only needs access to config/credential files inside the directory, can you please limit the access to those files instead? So this should be:
Also, can you please:
awspub is expected to be used/configured? I ask since this snap is not the clear owner of the $HOME/.aws, so in this case, the user voice in allowing the auto-connection is preferable (i.e I vote for only use but not auto-connect unless necessary).Thanks!
It might also require access to ~/.aws/cli/cache and ~/.aws/sso/cache. See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html . Depending on the features used for authentication.
Done in the description.
I added a link (website) to the docs and also mentioned in the description that this tool requires credentials from ~/.aws.
Do you think that’s good enough?
hi, if the only other spots access is required for awspub are ~/.aws/cli/cache and ~/.aws/sso/cache, could the system-files be readjusted to:
plugs:
dot-aws:
interface: personal-files
read:
- $HOME/.aws/config
- $HOME/.aws/credentials
- $HOME/.aws/cli/cache
- $HOME/.aws/sso/cache
Would this cover all access needed for awspub?
I looked now again and my previous statements were wrong. awspub uses boto3 so it requires access to:
$HOME/.aws/config
$HOME/.aws/credentials
$HOME/.aws/models
That should cover all. I adjusted the snap/snapcraft.yaml file now.
That looks good. I’ve just realised that the recommendation I gave should have actually separated the personal-files into 3 plugs. i.e:
plugs:
dot-aws-config:
interface: personal-files
read:
- $HOME/.aws/config
dot-aws-credentials:
interface: personal-files
read:
- $HOME/.aws/credentials
dot-aws-models:
interface: personal-files
read:
- $HOME/.aws/models
Your description update and website link seem fine so once this change occurs and is uploaded to the store, I will start publisher vetting given the +2 votes given prior in this thread.
I pushed a new revision (0+git.c9025c3) with the requested changes. Let me know what I need to do next.
publisher is vetted. You will also have to update the app plugs with the new personal-files names as it is causing an error on the store. Should be:
apps:
awspub:
command: bin/awspub
plugs:
- home
- network
- dot-aws-config
- dot-aws-credentials
- dot-aws-models
Thanks!
done. Anything else I need to do?
Should be complete and now live. Thanks!